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effects of the pandemic on our exam administration, we were 
able to ensure that none of the changes resulted in additional 
charges to candidates. In addition to free deferrals, we provided 
candidates with new materials at no cost when those unavoid- 
able deferrals rolled into a new exam period, in which new top- 
ics were covered due to curriculum updates. 


Since its inception in 1997, the FRM program has been the 
global industry benchmark for risk-management professionals 
wanting to demonstrate objectively their knowledge of financial 
risk-management concepts and approaches. Having FRM hold- 
ers on staff gives companies comfort that their risk-management 
professionals have achieved and demonstrated a globally recog- 
nized level of expertise. 


Over the past few years, we've seen a major shift in how individ- 
uals and companies think about risk. Although credit and market 
risks remain major concerns, operational risk and resilience and 
liquidity have made their way forward to become areas of mate- 
rial study and analysis. And counterparty risk is now a bit more 
interesting given the challenges presented by a highly volatile 
and uncertain global environment. 


The coming together of many different factors has changed and 
will continue to affect not only how risk management is prac- 
ticed, but also the skills required to do so professionally and at 
a high level. Inflation, geopolitics, stress testing, automation, 
technology, machine learning, cyber risks, straight-through pro- 
cessing, the impact of climate risk and its governance structure, 
and people risk have all moved up the list of considerations that 
need to be embedded into the daily thought processes of any 
good risk manager. These require a shift in thinking and raise 
questions and concerns about whether a firm's daily processes 


are really fine-tuned, or if its data and information flows are fully 
understood. 


As can be readily seen, we're living in a world where risks are 
becoming more complex daily. The FRM program addresses 
these and other risks faced by both non-financial firms and 
those in the highly interconnected and sophisticated financial- 
services industry. Because its coverage is not static, but vibrant 
and forward looking, the FRM has become the global standard 
for financial risk professionals and the organizations for which 
they work. 


The FRM curriculum is regularly reviewed by an oversight com- 
mittee of highly qualified and experienced risk-management 
professionals from around the globe. These professionals 
include senior bank and consulting practitioners, government 
regulators, asset managers, insurance risk professionals, and 
academics. Their mission is to ensure the FRM program remains 
current and its content addresses not only standard credit and 


market risk issues, but also emerging issues and trends, ensuring 
FRM candidates are aware of not only what is important but also 
what we expect to be important in the near future. 


We're committed to offering a program that reflects the 
dynamic and sophisticated nature of the risk-management 
profession. 


We wish you the very best as you study for the FRM exams, and 
in your career as a risk-management professional. 


Yours truly, 
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The Building 
Blocks of Risk 
Management 


E Learning Objectives 


After completing this reading you should be able to: 


® Explain the concept of risk and compare risk management © Describe and differentiate between the key classes 
with risk taking. of risks, explain how each type of risk can arise, and 
assess the potential impact of each type of risk on an 
® Evaluate, compare, and apply tools and procedures organization. 
used to measure and manage risk, including quantitative 
measures, qualitative risk assessment techniques, and ® Explain how risk factors can interact with each other and 
enterprise risk management. describe challenges in aggregating risk exposures. 


® Distinguish between expected loss and unexpected loss 
and provide examples of each. 


© Interpret the relationship between risk and reward 
and explain how conflicts of interest can impact risk 
management. 


Risk, in the most basic sense, is the possibility that bad things 
might happen. Humans evolved to manage risks such as wild 
animals and starvation. However, our risk awareness is not 
always suited to the modern world (as anyone who has taught 
a child to cross the road knows). Behavioral science shows that 
we rely too much on instinct and personal experience, as biases 
skew our thought processes. Furthermore, even the way we 
frame risk decisions irrationally influences our willingness to 
take risk. 


Even so, surprisingly sophisticated examples of risk manage- 
ment can be seen in early history. In ancient times, merchants 
and their lenders shared risk by tying loan repayments to the 
safe arrival of shipments using maritime loans (i.e., combining 
loans with a type of insurance). The insurance contract sepa- 
rated from the loan contract as early as the fourteenth century 
in northern Italy, creating the first standalone financial risk trans- 
fer instrument. From the seventeenth century onward, a more 
methodical approach to the mathematics of risk can be traced. 
This was followed by the development of exchange-based risk 
transfer in the form of agricultural futures contracts in the eigh- 
teenth and nineteenth centuries (Figure 1.2). 


That methodical approach continued to evolve in the twentieth 
century and beyond, with major advances in financial theory in 
the 1950s; an explosion in risk management markets from the 
1970s onwards; and the emergence of new instruments, such 
as cyber risk insurance, in the early twenty-first century. Risk 
management is an old craft but a young science—and an even 
younger profession. 


How we think about risk is the biggest determinant of whether 
we recognize risks, assess them properly, measure them using 
appropriate risk metrics, and succeed in managing them. 


This introductory chapter looks at the definitions of risk, the 
classic risk management process, the principal types of risk, 
and the tools used to track risk and make decisions. We isolate 
10 risk management building blocks along the way 

(Figure 1.1). 


Most risk management disasters are caused by the failure to 
properly recognize and/or deal with one or more of these 
fundamental building blocks, rather than the failure of some 
sophisticated risk management technique. Centuries-old 
financial institutions have been bankrupted because their 
risk management procedures ignored a certain type of risk, 


1 Not every risk practitioner will agree with our choice. The building 
blocks are not discussed in order of importance, and not every firm 
needs to develop a sophisticated approach to each building block, but 
we would argue that an awareness of each of our 10 building blocks is a 
good place to start thinking about risk management. 


1. The risk management process 

2. Identifying risk: knowns and unknowns 

3. Expected loss, unexpected loss, and tail loss 

4. Risk factor breakdown 

5. Structural change: from tail risk to systemic crisis 
6. Human agency and conflicts of interest 

7. Typology of risks and risk interactions 

8. Risk aggregation 

9. Balancing risk and reward 


10. Enterprise risk management (ERM) 
Ten risk management building blocks. 


misunderstood connections between risks, or did not follow the 
classic steps in the risk management process. 


1.1 TYPOLOGY OF RISKS AND RISK 
INTERACTIONS 


Risk is a wild animal, circling the campfire in the dead of night. 
But what kind of animal is it? 


Figure 1.3 sets out a typology of risks in the financial industry.” 
Given the variety of business models that firms pursue, corpo- 
rate risks take many forms. However, most firms face risks that 
can be categorized within the risk typology discussed in this 
chapter. 


This kind of typology has many uses. It can help organizations 
drill down into the risk-specific factors within each risk type, 
map risk management processes to avoid gaps, and hold staff 
accountable for specific risk domains. 


Indeed, Figure 1.3 relates quite closely to how risk functions are 
organized at many banks and large corporations, where there 
are often particular functions for market risk, credit risk, etc. 
Many of these risk functions worked quite independently of one 
another until an effort to build a more unified risk management 
approach began in the mid-1990s. 


Each key risk type demands a specific set of skills and its own 
philosophical approach. For example, most banks treat market 
and credit risks as a natural part of their business. They recognize 
that risk scales alongside reward and actively pursue risky assets 


2 For a more detailed description of financial risks see M. Crouhy, 
D. Galai, and R. Mark, The Essentials of Risk Management, 2nd ed. 
(Ch. 1, App.), McGraw Hill, 2014. 
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c.1750 BC—Code of Hammurabi records Babylonian maritime 
loan insurance. 


Roman era—Burial societies cover funerary expenses with 
regular premiums. 


Early medieval period—Early guilds support members who 
suffer financial loss. 


1300s—Shipping insurance matures in Genoa. 
1583—First recorded life insurance policy in London 


1650s—Blaise Pascal and Pierre de Fermat lay foundation of 
probability theory. 


1666—Great Fire of London inspires early fire insurance 
companies. 


1688—Lloyds (of London) coffee house first mentioned 
1690s-early 1700s—Development of mortality tables in London 


Late 1600s—early 1700s—Jakob Bernoulli describes law of 
large numbers/statistical inference. 

1730—Japanese rice futures traded in Osaka (world’s first 
futures). 

1730—Normal distribution and standard deviation described 
by Abraham de Moivre. 

1762—First life insurer to calculate premiums in scientific 
manner (forerunner of Equitable Life) 

1764—Publication of Thomas Bayes’ 1750s work (Bayesian 
statistics) 

1846—Cologne Re: first dedicated reinsurance company 

1864—Chicago Board of Trade lists first US standardized 
futures contracts (corn). 

1875—Francis Galton, British statistician, describes regression 
to the mean. 

1900—Louis Bachelier models Brownian motion to investigate 
financial assets. 

Early 1900s—Lloyds underwriters collect catastrophe risk data 
for pricing, for example, hurricane records. 

1921—Frank Knight explores ‘Risk, Uncertainty and Profit’. 

1950s—1960s—Large corporations self-insure; “risk manager” 
used for widened insurance purchaser role. 


1952—Diversification and modern portfolio management: 
Harry Markowitz 


1961-1966—Capital Asset Pricing Model: William Sharpe and 
John Lintner 


1970s—Decade of market liberalization and price and interest 
rate volatility 


EMASE] Risk management timeline. 


1972 —CME currency futures contracts 


1973—Chicago Board of Trade (CBOT) options on stocks; 
Chicago Board Options Exchange (CBOE) created 


1973—Black-Scholes option pricing formula 
Mid 1970s—Treasury bill and bond futures 
1979-1980—OTC currency options and swaps 


Early 1980s—Growth of early OTC markets; first interest rate 
swaps 


1983—Interest rate caps and floors 


1987—Commodity swaps; average options; and other path- 
dependent options 

1988—Basel Accord (Basel |) banking reform, focused on credit 
risk 

1990—Collateralized loan obligations 


Early 1990s—Credit derivatives develop, for example, credit 
default swaps 


1993—CBOE volatility index (VIX) 


1994—J.P. Morgan publishes value-at-risk (VaR) methodology 
(RiskMetrics) 


1994-1995—Classic cases of derivative misuse, for example, 
Orange County, Barings Bank 


1996—Market Risk Amendment for Basel | 
1998—Russia financial crisis, LTCM near collapse 


1998-1999—Synthetic CDOs (collateralized debt obligations); 
CDOs of CDOs (CDO squared) 


2001—Terrorist attacks on World Trade Center (9/11); Enron 
collapse, corporate scandals 


2002—Sarbanes-Oxley Act (SOX) to prevent fraudulent 
accounting 


2004—Basel II (including operational risk capital) 
2004-2006—VIX futures, options 
2007-2009—Global Financial Crisis 
2009—Contingent convertible bonds (CoCos) 
2010—Basel III ongoing (including liquidity risk) 
2010—Dodd-Frank Act 


2011 onwards—Fast development of cyber risk transfer 
market 


2016—Solvency II reform in effect for insurance industry 


2017—Finalized Basel Ill reforms released 


Note: The dates in this timeline are sometimes an approximation; in particular, the development date of various OTC risk transfer instruments can be 


open to debate. 


(e.g., particular credit segments). An increase in operational risks, 


on the other hand, does not lead to greater reward, so banks 
avoid these risks when they can. Below we look at the key risk 


types in turn, but first a word of warning. Risk typologies must be 


flexible because new risks are always emerging. A banking indus- 
try risk typology made in the early 1990s may have not consid- 
ered rogue trading risk or even the entire operational risk class. 
As of 2020, “new” forms of operational risk are again climbing 
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A typology of risks for the banking industry. 


up the risk manager's watch list: cyber risk (particularly the risk of 
hackers stealing and destroying data and compromising systems) 
and data privacy risk. 


Furthermore, the risk types interact with one another so that risk 
flows. During a severe crisis, for example, risk can flow from credit 
risk to liquidity risk to market risk, (which was the case during the 
global financial crisis of 2007-2009). The same can occur within an 
individual firm: the “fat finger” of an unlucky trader (operational 
risk) creates a dangerous market position (market risk) and poten- 
tially ruins the standing of the firm (reputational risk). That is why 
a sophisticated understanding of risk types and their interactions 
is an essential building block of risk management. 


Market Risk 


Market prices and rates continually change, driving the value of 
securities and other assets up and down. These movements create 
the potential for loss, as price volatility is the engine of market risk. 


Market risk takes many forms depending on the underlying asset. 
From a financial institution's perspective, the key forms are equity 
risk, interest rate risk, currency risk, and commodity price risk. 


3 New risks tend to be born out of a fundamental change in market and 
industry practice. Bank rogue trading risk rose out of the growth of the 
derivatives industry and a rise in proprietary trading; bank liquidity risk 
during the global financial crisis arose out of insidious changes in bank 
funding strategies and leverage; legal risk in the period since the crisis 
has been exacerbated by a new wave of class action lawsuits and claims 
for compensation (not to forget some poor bank behavior); and cyber 
risk is a product of the digital revolution. 


Each of these markets has its own risk management tools and 
methodologies, and we give examples of corporate applications 
and strategies in Chapter 2. However, across all these markets, 
market risk is driven by the following. 


© General market risk: This is the risk that an asset class will fall 
in value, leading to a fall in the value of an individual asset or 
portfolio. 


e Specific market risk: This is the risk that an individual asset 
will fall in value more than the general asset class. 


Market risk can be managed through the relationships between 
positions. The diversification benefits of a large equity portfolio, 
for example, form the bedrock of investment risk management. 


However, market risk also arises from these relationships. For 
example, an equity portfolio designed to track the performance 
of an equity market benchmark might fail to track it perfectly—a 
special form of market risk. Likewise, a position intended to balance 
out, or hedge, another position or market price behavior might do 
so imperfectly—a form of market risk known as basis risk. 


For risk managers, this mismatching of price movements is often 
a bigger problem than any single market risk exposure. For 
example, a commodity risk manager might decide to use crude 
oil futures to hedge the price of jet fuel based on the historical 
relationship between crude oil price movements and jet fuel price 
movements. However, the hedge may fail due to an adverse 
change in the historical relationship between the price movement 
of these two commodities that renders the hedge ineffective, or 
worse, results in a greater loss than if no hedge was placed. 
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Credit Risk 


Credit risk arises from the failure of one party to fulfill its financial 
obligations to another party. Some examples of credit risk include 


e A debtor fails to pay interest or principal on a loan (bank- 
ruptcy risk or default risk); 


e An obligor or counterparty is downgraded (downgrade risk), 
indicating an increase in risk that may lead to an immediate 
loss in value of a credit-linked security; and 


e A counterparty to a market trade fails to perform (counter- 
party risk), including settlement or Herstatt risk. 


Credit risk is driven by the probability of default of the obligor 
or counterparty, the exposure amount at the time of default, 
and the amount that can be recovered in the event of a default. 
These levers can all be altered by a firm's approach to risk man- 
agement through factors such as the quality of its borrowers, 
the structure of the credit instrument, and controls on exposure. 
The structure of the credit instrument involves whether the 
credit instrument is collateralized or not, the type of collateral 
if it is collateralized, the priority of the creditor in the case of 
bankruptcy, and inclusion of protective covenants in the loan 
agreement that impose restrictions on the borrower so as to 
protect the lender. 


The exposure amount is clear with most loans but can be volatile 
with other kinds of transactions. For example, a derivative trans- 
action may have zero credit risk at the outset because it has no 
immediate value in the market. However, it can quickly become 
a major counterparty credit exposure as markets change and the 
position of one counterparty gains at the expense of the other 
counterparty. 


Traditionally, the probability of default of an obligor is assessed 
through identifying and evaluating a selection of key risk factors. 
For example, corporate credit risk analysis looks at key financial 
ratios, industry sectors, etc. Meanwhile, the risk in whole port- 
folios of credit risk exposures is driven by obligor concentration 
(i.e., the exposure to each obligor relative to the portfolio's 
value) as well as the relationship between risk factors. The port- 
folio will be a lot riskier if: 


e It has a small number of large loans rather than many smaller 
loans; 


e The returns or default probabilities of the loans are positively 
correlated (e.g., borrowers are in the same industry or region); 


4 Named after the failure of Herstatt bank in Germany. The bank, a participant 
in the foreign exchange markets, was closed by regulators in 1974. The timing 
of the closure caused a settlement failure because Herstatt’s counterparties 
had already paid their leg of foreign currency transactions (in Deutsche Marks) 
only to find the defunct Herstatt unable to pay its leg (in US dollars). 


e The exposure amount, probability of default, and loss given 
default amounts are positively correlated (e.g., when defaults 
rise, recovery amounts fall).5 


Risk managers use sophisticated credit portfolio models to 
uncover risk arising from these combinations of risk factors. 


Liquidity Risk 


Liquidity risk is used to describe two quite separate kinds of risk: 
funding liquidity risk and market liquidity risk. 


Funding liquidity risk is the risk that covers the risk that a firm 
cannot access enough liquid cash and assets to meet its obli- 
gations. Funding liquidity risk threatens all kinds of firms. For 
example, many small and fast-growing firms find it difficult to 
pay their bills quickly enough while still having sufficient funds to 
invest for the future. 


Banks have a special form of funding liquidity risk because their 
business involves creating maturity and funding mismatches. 
One example of a mismatch is that banks aim to take in short- 
term deposits and lend the money out for the longer term at a 
higher rate of interest. Sound asset/liability management (ALM), 
therefore, lies at the heartening of the banking business to help 
reduce the risk. There are various techniques involved in ALM, 
including gap and duration analyses. 


Of course, banks sometimes get it wrong, with disastrous con- 
sequences. Many of the banks that failed during the 2007-2009 
global financial crisis had built up large maturity mismatches and 
were vulnerable to the wholesale funding market's perception of 
their creditworthiness. 


Market liquidity risk, sometimes known as trading liquidity risk, 
is the risk of a loss in asset value when markets temporarily 
seize up. If market participants cannot, or will not, take part 

in the market, this may force a seller to accept an abnormally 
low price, or take away the seller's ability to turn an asset into 
cash and funding at any price. Market liquidity risk can trans- 
late into funding liquidity risk overnight in the case of banking 
institutions too dependent on raising funds in fragile wholesale 
markets. 


It can be very difficult to measure market liquidity risk. Measures 
of market liquidity in a normal market, for example, might look at 
the number or volume of transactions and at the spread between 
the bid-ask price. However, these are not necessarily good indi- 
cators that a market will remain liquid during a time of crisis. 


5 These concepts will be explored later in this book. 


é See M. Crouhy, D. Galai, and R. Mark, The Essentials of Risk 
Management, 2 ed. (Ch. 8), McGraw Hill, 2014. 
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BOX 1.1 BANK OPERATIONAL RISK: MEASURE OR MANAGE? 


No one doubts the importance of operational risk, but its 
measurement remains challenging. The banking industry 
embarked on the project in the late 1990s, mainly because it 
seemed logical to set capital aside for operational risk along- 
side that set aside for credit and market risks. The industry 
built extensive loss databases along with a set of risk measure- 
ment tools including statistical analysis, scorecard systems, 
sets of key risk indicators, and scenario analysis approaches. 


However, many banking regulators remained skeptical about 
whether these tools could support accurate risk capital allo- 
cation. The Basel Committee signaled a change of direction 
in 2016.’ It would continue to encourage banks to 


Operational Risk 


Operational risk can be defined as the “risk of loss resulting 
from inadequate or failed internal processes, people, and sys- 
tems or from external events.”® It includes legal risk, but 
excludes business, strategic, and reputational risk. 


That is a deliberately broad definition, and it includes everything 
from anti-money laundering risk and cyber risk to risks of terror- 
ist attacks and rogue trading. The outbreaks of rogue trading 

in the 1990s helped persuade regulators to include operational 
risk in bank capital calculations. 


Looking beyond the banking industry, we might include many 
corporate disasters under the operational risk umbrella. These 
include physical operational mishaps and corporate governance 
scandals, such as the crisis at energy giant Enron in 2001. The 
management of operational risk is the primary day-to-day 
concern for many risk managers outside the financial industry, 
often through insurance strategies. 


The definition and measurement of operational risk continues to be 
problematic, however, especially in the financial industry (Box 1.1). 


Business and Strategic Risk 


Business risks lie at the heart of any business and includes all the 
usual worries of firms, such as customer demand, pricing deci- 
sions, supplier negotiations, competition, and managing prod- 
uct innovation. 


Strategic risk is distinct from business risk. Strategic risk involves 
making large, long-term decisions about the firm’s direction, 


7 Basel Committee, Standardised Measurement Approach for Opera- 
tional Risk, March 2016: https://www.bis.org/bcbs/publ/d355.pdf. The 
move built on earlier proposals in 2014. 


8 Basel Committee on Banking Supervision, Principles for the Sound 
Management of Operational Risk, June 2011, https://www.bis.org/publ/ 
bcbs195.pdf, page 3, footnote 5. 


understand their operational risk using a variety of tools, but 
capital allocation would be based on a simpler standardized 
approach using weighted bank size with a multiplier based 
on a bank's record of larger operational risk losses. 


However, this will not dampen bank efforts to manage opera- 
tional risk. Operational risk includes the massive legal threats 
and claims for compensation that have plagued banks since the 
2007-2009 global financial crisis. It includes the growing threat 
of cyber risk and the threat of penalties and lawsuits over data 
privacy infringements. In all its guises, operational risk remains 
one of the biggest threats to banks and other large corpora- 
tions, even if it is impossible to properly measure its true cost. 


often accompanied by major investments of capital, human 
resources, and management reputation. 


Business and strategic risks consume much of the attention of 
management in non-financial firms, and they are clearly also 

a key concern in financial firms. However, it is not obvious 
how they relate to the other risks that we discuss or fit within 
each firm's risk management framework. For example, today 
banks and other financial institutions are facing competition 
from so-called financial technology [FinTech] companies. Bank 
management must decide whether to develop those same 
services internally, acquire those companies, or partner with 
FinTech companies. 


A sudden fall in customer demand, the failure to launch the right 
kind of new product, or a misplaced major capital investment can 
threaten a firm's survival. Responsibility for these risks lies with the 
firm's general management. So what is the role of the risk manager? 


The answer lies in three observations. 


1. First, the firm's management needs to define its appetite 
for risk in a holistic manner that embraces the risk of sig- 
nificant business and strategic decisions. Firms can be very 
conservative with respect to credit risk, yet very entrepre- 
neurial with respect to business risk. However, the logic for 
that divergence needs to be articulated by management. 


2. Second, the chief risk officer and supporting team may have 
specific skills they can bring to bear in terms of quantifying 
aspects of business and strategic risk. Credit experts, for exam- 
ple, often become involved in managing supply chain risk. 

As we discuss in a later chapter, new techniques such 
as macroeconomic scenario analysis can be adopted to 
improve business and strategic decisions. 


3. Third, business decisions generate large exposures in other risk 
management areas, such as credit risk and commodity price risk. 
As a result, financial risk managers must be involved at the start 
of business planning. For example, it may be impossible to fund 
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the construction of a power station without having some form 
of energy price risk management strategy in place. Meanwhile 
in the financial industry, expanding a credit business will increase 
credit exposures and may necessitate the deliberate lowering 

of credit standards. Banks that fail to coordinate business, stra- 
tegic, and risk management goals do not survive for long. 


Reputation Risk 


Reputation risk is the danger that a firm will suffer a sudden fall 
in its market standing or brand with economic consequences 
(e.g., through losing customers or counterparties). 


Reputation risk usually comes about through a failure in another area 
of risk management that damages confidence in the firm’s financial 
soundness or its reputation for fair dealing. For example, a large 
failure in credit risk management can lead to rumors about a bank's 
financial soundness. Rumors can be fatal in themselves. Investors and 
depositors may begin to withdraw support in the expectation that 
others will also withdraw support. Banks need to have plans in place 
for how they can reassure markets and shore up their reputations. 


A reputation for fair dealing is also critical. Large firms are 
expected to behave in certain ways. If a firm misrepresents a 
product's risks, it can lose important customers. 


Reputation with regulators is particularly important to financial 
institutions. Regulators wield considerable informal as well 

as formal power. A bank that loses the trust of a regulator 
may become the subject of extensive examinations and/or its 
activities may be criticized or curtailed. 


2. ANALYZE 


Rank, Score, Measure, 
Quantify 


EVALUATE 


4. MANAGE 3. ASSESS IMPACT 


Avoid, Retain, Mitigate, Effects, Knock-Ons, 
Transfer Repercussions 


The risk management process. 


1.2 THE RISK MANAGEMENT 
PROCESS 


We take risks in pursuit of reward, whether that reward is food, 
shelter, or digital currencies. But the key questions are twofold: 
(1) is the risk commensurate with the reward, and (2) could we 
lower the risk and still get the reward? Our attempt to address 
these questions gives rise to our first building block: the classic 
risk management process (Figure 1.4). 


During this process, the risk manager attempts to: identify the 
risk (e.g., Box 1.2), analyze and measure the risk, assess the 
effects of any risk event, and finally manage the risk. 


BOX 1.2 BRAINSTORMING AND TRIAGING RISKS 


The first steps toward risk identification and triage take some 
classic forms. 


e Brainstorming: This could include discussions with repre- 
sentatives from different business divisions to discuss the 
risk exposures they face and scenarios that could negatively 
impact their divisions. The most obvious approach is to put 
the key professionals (e.g., business leaders, audit profession- 
als, etc.) in a room and talk to them. What is your personal 
professional nightmare? What else could go wrong, why 
would it go wrong, and how badly could it go wrong? What 
are the root causes and what are the consequences (e.g., in 
terms of triggering further risks)? Who is accountable? 


e Structured interviews, questionnaires, and surveys: These 
are an attempt to push that initial inquiry out to a wider 
group of professionals within the company or throughout 
the industry. They should include open-ended questions. 


e Industry resources: Unless the activity is unique, there will 
be industry resources available in the form of checklists, 
professional and regulatory standards, industry surveys, 
and expert opinions. These resources should be used to 
enrich the brainstorming process. 


Loss data analysis: Brainstorming often identifies many 
potential risks. The analyst will next want to look at how 
the wider industry categorizes each risk and at any inter- 
nal and external loss records available, to gauge the fre- 
quency and severity of loss events and how they relate to 
specific risk factors. 


Basic risk triage: Not every risk is quantifiable in an exact 
way, but risk managers should be able to determine a 
given risk‘s frequency and severity. 


Hypothetical what-if analysis: Initial research may suggest 
worst-case scenarios that the brainstorming team can be 
asked to consider. 


Front line observation: There is no substitute for going to 
the business line or function and looking at how things are 
done. Have front-line staff been included in the risk infor- 
mation gathering process? 


Following the trail: How are key processes conducted 
and what are the risks associated with them? Can we see 
weaknesses or gaps in the process? Can we track our 
worst nightmares backwards through the process? 
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Identifying the risk can be just as important as its size in deter- 
mining the appropriate risk management strategy. Across the 
corporate world, some risks are regarded as natural to a business 
and others as quite foreign. Manufacturers, for example, often 
accept and manage the operational risks of complex factory 
processes but try to avoid or transfer large market or credit risks. 
Investors often react badly to mishaps concerning risk types they 
believe are unnatural to a firm (e.g., a loss from a speculative 
derivatives position held by a non-financial corporation). 


The risk management process culminates in a series of choices 
that both manage risk and help to define the identity and pur- 
pose of the firm. 


e Avoid Risk: There are risks that can be sidestepped by discon- 
tinuing the business or pursuing it using a different strategy. For 
example, selling into certain markets, or off-shoring production, 
might be avoided to minimize political or foreign exchange risks. 


e Retain Risk: There are risks that can be retained within the 
firm’s risk appetite. Large risks can be retained through 
mechanisms such as risk capital allocation, self-insurance, and 
captive insurance. 


e Mitigate Risk: There are risks that can be mitigated by reducing 
exposure, frequency, and severity (e.g., improved operational 
infrastructure can mitigate the frequency of some kinds of 
operational risk, hedging unwanted foreign currency exposure 
can mitigate market risk, and receiving collateral against a 
credit exposure can mitigate the severity of a potential default). 


e Transfer Risk: There are risks that can be transferred to a third 
party using derivative products, structured products, or by 
paying a premium (e.g., to an insurer or derivatives provider). 


As the risk taker improves its risk management strategy, it will 
begin to avoid or mitigate non-essential or value-destroying 
risk exposures, which in turn will allow it to assume more risk 

in areas where it can pursue more value-creating opportunities 
for its stakeholders. Investment in risk management thus allows 
farmers to grow more food, metals producers to produce more 
metal, and banks to lend more money. Risk management allows 
firms to excel. 


In modern economies, risk management is therefore not only 
about corporate survival. It is critically important to the broader 
processes of specialization, scaling, efficiency, and wealth 
creation. 


This explains why risk never really goes away. Risk management 
success is a platform for greater endeavors. The risk manager is 
constantly identifying, evaluating, and managing risks to achieve 
the right balance between creating value and exposing the firm 
to undue risk. However, identifying and analyzing risk in a fast- 
changing world remains a major challenge. 


Knightian 
Uncertainty 
"Known 
Unknowns" 


> 
Loss 


Risk managers face the unknown and 
unexpected. 


1.3 IDENTIFYING RISK: KNOWNS 
AND UNKNOWNS 


One of the easiest mistakes to make is to focus on risks that are 
known and measurable while ignoring those that are unknown 
or sets out. 


Figure 1.5, our second building block, sets out a fundamental classi- 
fication of known versus unknown risk that considers a classic paper 
on risk by economist Frank Knight,? and the much-quoted words of 
Donald Rumsfeld, former United States Secretary of Defense: 


“There are things we know that we know. There are known 


10 


unknowns . . . But there are also unknown unknowns. 


Rumsfeld said this when trying to encapsulate the danger of 
terrorists using weapons of mass destruction. His point was that 
humans tend to focus on the risks for which they have data and 
ignore potentially larger risks that are unknown or poorly under- 
stood. Yet those risks exist and must be managed. 


Some of the distinctions in Figure 1.5 are much older than 
Rumsfeld's quote. In his famous 1921 paper, Knight distin- 
guished between variability that cannot be quantified at all, 
which he called uncertainty, and “true” risk that can be quanti- 
fied in terms of statistical science. (Box 1.3) 


oF Knight, Risk, Uncertainty, and Profit (New York: Houghton Mifflin, 
1921). 


10 Donald Rumsfeld, US Secretary of Defence, press conference, NATO 
HO, Brussels, 6 June 2002, responding to a question regarding terrorism 
and weapons of mass destruction and the possible inadequacy of intelli- 
gence information: https://www.nato.int/docu/speech/2002/s020606g.htm 
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BOX 1.3 RISK VERSUS UNCERTAINTY 


Economists have argued about the distinction between risk 
and uncertainty since the early 1920s. The distinction was 
first made in 1921 by two economists, Frank Knight? and 
John Maynard Keynes.” Knight explained the distinction 
between risk and uncertainty as follows which he referred 
to as “measurable risk” or “risk proper.” Risk, according to 
Knight, applies to decision making when the outcome of 
the decision is unknown, but the decision maker can fairly 
accurately quantify the probability associated with each out- 
come that may arise from that decision. Knight viewed uncer- 
tainty, which he referred to as “unmeasurable uncertainty” 
or “true uncertainty,” as applicable to decisions when the 
decision maker cannot know all the information needed 

in order to obtain all the probabilities associated with the 


outcomes. Today we refer to this as Knightian uncertainty. 
As similar distinction between risk and uncertainty was made 
by Keynes in 1921. He argued that there is risk that can be 
calculated and another sort of risk he labeled “irreducible 
uncertainty.” He understood that for some decisions, the 
risks cannot be calculated because attempting to do so 
would necessitate the reliance on assumptions about the 
future that have no basis in probability theory. 


a Frank Knight, Risk, Uncertainty, and Profit (New York: Houghton 
Mifflin, 1921). 


John Maynard Keynes, Treatise on Probability (New York: Macmillan, 
1921) 


BOX 1.4 METEORS AND MOONWALKING, ICEBERGS AND ELEPHANTS 


When is a risk truly unknown? Perhaps when it arrives out 

of the blue like a meteor. But many risks are more unseen 
than unknown. In a 2018 speech, the Bank of England’s Alex 
Brazier separated these risks into “moonwalking bears” and 
“underwater icebergs.” 


Moonwalking bears are named after a viral video that shows 
how people avidly watching a basketball game failed to 

see a bear impersonator on the screen. This kind of risk can 
be seen during periods of compressed yields in the debt 
market: the evidence that risk is being bought too cheaply 
is plain to see on every financial screen, but investors keep 
on buying. 


Incalculable Knightian uncertainties can be very large and impor- 
tant. Nuclear war is a major threat to the world, but its chances 
of happening are impossible to estimate. 


Even so, Knightian uncertainties can be managed through avoid- 
ance and other forms of risk management. Multilateral nuclear 
disarmament, whether wise or not, would remove the risk of 
nuclear war. For difficult actions to be taken, however, there has 
to be agreement that the Knightian uncertainty is plausible and 
extremely threatening in terms of its severity (if unquantifiable in 
terms of frequency). 


The boundary between Knightian uncertainty and measurable, 
statistical risk can be fluid Before 1950, the size of the health 
threat from smoking was uncertain and cigarette producers reg- 
ularly advertised their brand as the one that doctors chose to 
smoke. By the mid-1970s, dedicated researchers had turned 
this uncertainty into a quantified statistical health risk or 


The underwater icebergs are more difficult to spot and 
include the growth in leverage in some financial firms in the 
run up to the 2007-2009 global financial crisis. After the risk 
event, these risks also seem obvious because they are usually 
concerned with some fundamental weakness. 


To this ensemble, we might add the age-old elephant in the 
room. This is the risk that is easy to see, that everyone has 
indeed spotted, but that it would be impolite to publicly 
acknowledge. 

Source: Alex Brazier, Executive Director for Financial Stability 
Strategy and Risk, Bank of England, “Moonwalking Bears and 
Underwater Icebergs,” 26 April 2018. 


“known known": one in two long-term smokers die from the 
habit." 


Do the distinctions between the risk classes in Figure 1.5 mat- 
ter to financial risk managers? Yes. Risk managers take respon- 
sibility for all sorts of risk, not just those that can be measured. 
They must continuously search for Rumsfeld's “unknown 
unknowns,” including risks that are hiding in plain sight 

(Box 1.4). They cannot simply ignore Knightian uncertainties. 
In fact, they sometimes need to make sure their firms avoid or 
transfer them. 


11 This may be a conservative estimate, with the most recent research 
suggesting that smoking eventually kills around two in three smokers. 
See M. Roberts, “Tobacco Kills Two in Three Smokers,'’” BBC News 
online, 24 February 2015: http://www.bbc.co.uk/news/health-31600118 
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Where they can, risk managers move poorly understood risks 
from the periphery of Figure 1.5 to a position nearer to the cen- 
ter. As cigarettes have demonstrated, Knightian uncertainties 
can be more severe and prevalent than we initially suspect. 


However, risk managers must never treat risks that cannot be 
measured as if they are a known quantity. Uncertainty and ambi- 
guity must be acknowledged because they exist in much greater 
amounts for some risky activities than for others. Our confidence 
in a risk measure shapes how the result should be applied in 
decision-making. ' 


1.4 QUANTITATIVE RISK METRICS 


Figure 1.5 makes an important distinction between expected 
and unexpected loss. This distinction is our third building block. 


Expected loss (EL) is the average loss a position taker might 
expect to incur from a position or portfolio. In theory, some 
portfolios realize losses that rarely depart far from this average. 
The losses from this kind of portfolio may be amenable to sta- 
tistical measurement over a relatively short period of time with 
a fair degree of confidence. They might vary, for example, from 
year to year, but not by too much. 


The EL of a portfolio can be calculated by identifying and esti- 
mating values for the key underlying risk factors. In general, EL 
is a function of (1) the probability of the risk event occurring; 

(2) the firm's exposure to the risk event; and (3) the severity of 
the loss if the risk event occurs. In the case of the credit risk of 
a loan, these become the borrower's probability of default (PD); 
the bank's exposure at default (EAD); and the severity of loss 
given default (LGD). Thus, EL is simply: 


EL = EAD x LGD x PD 


Where EL can be calculated with confidence, it can be treated 
like a variable cost or predictable expense rather than a risk or 
uncertainty. The bank can make a profit simply by adding a 
price margin that covers the cost of the EL.'? Here, the risk 
manager's role is primarily to measure the amount of EL and 
to make sure the portfolio does not lose its predictable 
quality. 


12 For further discussion of the role of uncertainty in economics, see 
A. Lo and M. Mueller, “Warning: Physics Envy May Be Hazardous to 
Your Wealth!” March 19, 2010: http://papers.ssrn.com/sol3/papers. 
cfm?abstract_id=1563882 


K Theoretically, therefore, banks should not need to set aside provisions 
for expected losses where these are accurately priced into a product, 
though they will need to allocate risk capital for unexpected loss levels. 
For a discussion about why banks should, in the real world, provision for 
expected losses as well see B. Cohen and G. Edwards, “The New Era of 
Expected Credit Loss Provisioning,” BIS Quarterly Review, March 2017: 
https://www.bis.org/publ/qtrpdf/r_qt1703f.htm 


Expect the Unexpected 


That said, well-behaved portfolios inevitably offer surprises. EL 
is created from good and bad days. On a bad day, losses can 
range above the expected level (e.g., the result of an announce- 
ment of fraud in a credit card business or simply an unlucky 
sequence of losses). The extent to which losses depart from the 
average is called the unexpected loss level. 


In a credit portfolio, the potential for unexpected loss might be 
driven by something quite simple, such as the number and size 
of the loans. When a portfolio is composed of a large proportion 
of small loans, there is little chance of one very important loan 
defaulting. In addition, if the portfolio is well diversified, there 

is little chance of multiple losses occurring together to generate 
unexpected loss levels. 


Also, consider that the amount of EL (and unexpected loss) in 
a credit portfolio is changing continuously. These fluctuations 
are driven by factors such as changes in the macroeconomic 
environment and size and constitution of the portfolio (e.g., its 
credit quality or correlations). Estimating expected losses for 
even a well-behaved portfolio involves a fair amount of art as 
well as science—and some big assumptions. 


From Unexpected to Extreme 


Some credit portfolios, however, exhibit a much more extreme 
variance in their losses over intervals of time (e.g., a decade). 
Here, the expected losses over time are constructed from both 
long runs of good years (when losses are much lower than aver- 
age) and short runs of bad years (when losses are much higher 
than average). In the bad years, losses reach unexpected and 
even extreme levels. 


These portfolios can be very deceptive from a risk management 
point of view. It is easy to be lulled into a complacent view of risk 
exposure and then experience a sudden shock. For this kind of 
risky position or portfolio, banks need to allocate large amounts 
of risk capital to protect against large unexpected losses that 
can trigger insolvency and default. This allocation of risk capital 
is done in addition to pricing EL into the product directly. 


Risky Relationships 


A classic example of this loss level variability can be seen in the 
regular cycles of boom and bust in commercial real estate (CRE) 
markets around the world.'4 


14 This classic cycle is well documented in the literature, for example, 
European Systemic Risk Board, Report on Commercial Real Estate and 
Financial Stability in the EU, December 2015, available at: https://www 
.esrb.europa.eu/pub/pdf/other/2015-12-28_ESRB_report_on_commer- 
cial_real_estate_and_financial_stability.pdf 


10 @ Financial Risk Manager Exam Part I: Foundations of Risk Management 


First, demand for commercial property strengthens, often in line 
with general economic upswings. But CRE supply is inelastic": it 
takes time to construct a property. Prices rise, attracting inves- 
tors, banks, and other lenders, who may begin to relax loan-to- 
value ratios and other safeguards to gain market share. 


Eventually, prices begin to weaken through a combination of 
cyclical oversupply of property and deteriorating economic 
conditions. Banks begin to withdraw credit from investors and 
developers in the market, exacerbating the fall. Overextended 
property developers experience cash flow problems. Property 
loses value as collateral. The financial condition of CRE lenders 
deteriorates and lending dries up. One fire sale later—and the 
market has entered a devastating cycle of feedback. 


The result for lenders is that the probability of default by prop- 
erty developers rises at the same time collateral values fall—a 
bad combination referred to as wrong way risk. The global CRE 
markets are one of the clearest examples of how risk factors act 
together to produce waves of extreme loss. 


There are many other examples in the financial markets of risk 
factors that can act together to generate risk. For example, in 
derivative markets, the value of a contract with a counterparty 
may tend to rise simultaneously with the default risk of the coun- 
terparty (another example of wrong way risk). 


Value-at-Risk 


In January 1990, Dennis Weatherstone, newly appointed CEO of 
J.P. Morgan, called for a report on the total risk of his bank to be 
delivered to his desk every day at 4:15 p.m. The request helped 
to drive the development of a new global risk metric: Value-at- 
Risk (VaR).1¢ 


Jorion defines the VaR measure as the “worst expected loss 
over a given horizon under normal market conditions at a given 
level of confidence.” 1” For example, suppose that a bank's trad- 
ing portfolio has a weekly VaR at the 95% confidence level of 
$10 million. This means that under normal market conditions, 
there is a 5% probability that the bank’s trading portfolio will 
lose more than $10 million over the next week. As another 
example, suppose that a fund’s monthly VaR at the 99% confi- 
dence level is a loss of 3%. This means that under normal market 


15 An inelastic supply refers to a market situation wherein a change in 
the price of a product (in this case CRE) does not result in a correspond- 
ing change in supply of that product. 


16 Other firms such as Bankers Trust, a US merchant bank, had been 
working to build global risk reports in the period, and many of the 
concepts underlying VaR appeared prior to the 1990s. J.P. Morgan pub- 
lished the methodology behind its VaR model in 1993/4. 


17 P Jorion, Value at Risk: The New Benchmark for Managing Financial 
Risk. New York, NY: McGraw-Hill, 2001 


conditions, there is a 1% probability that the fund will have a 
loss that is greater than 3%. 


VaR uses the loss distribution associated with a position or portfolio 
to estimate losses at a given level of likelihood (or confidence). How- 
ever, an important point is that for any given loss distribution, the 
VaR number would tend to fall if we eased the confidence level 

to 95%. The number would also rise or fall if the shape of the loss 
distribution changed. For example, a loss distribution with a much 
fatter tail incurs more unexpected loss and a larger VaR number. 


Expected Shortfall 


While VaR is a useful measure, it fails to quantify how much risk 
there is in the tails. A measure that overcomes that drawback 
is expected shortfall (ES), also referred to as conditional value- 
at-risk (CVaR). For a given tail probability, ES is defined as the 
average of the VaR numbers that exceed the VaR at that tail 
probability. That is, ES focuses on the losses in the tail that are 
larger than the corresponding VaR level. 


1.5 RISK FACTOR BREAKDOWN AND 
INTERACTIONS BETWEEN FACTORS 


The example of the CRE cycle demonstrates how important it is for 
risk analysts to break risk down into discrete risk factors—in this 
case, PD, LGD, and EAD—and understand how these risk factors 
might interact over time and under stress to generate losses. 18 


In turn, each primary risk factor is driven by a more fundamental 
set of risk factors. For example, the probability of default by a 
firm may be driven by its strength or weakness in terms of key 
financial indicators, industry sector, management quality, etc. 


Breaking risk down into its key risk factors and understanding 
their importance as loss drivers—and their relationships with 
each other and the wider business environment—is a key activity 
for risk managers and is our fourth building block. 


A key question concerns how granular each risk factor analysis 
should be. Ideally, risk managers would like to understand every 
significant risk factor and analyze each factor's importance and 
dynamics through the data available. 


To score the risk factor, the risk manager may want to look at 
its sub-factors. For example, what is it that drives the credit 
risk variable of management quality: management's years of 


18 Understanding the dynamics of a loss record greatly increases its 
predictive power. To prepare for a key banking reform, Basel Il, some 
years ago, banks had to spend millions of dollars re-engineering their 
credit rating systems when the regulators asked them to improve their 
risk modeling by recording probability of default, loss given default, and 
credit exposure as separate risk factors. 
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BOX 1.5 WILL DATA SCIENCE REVOLUTIONIZE RISK ANALYSIS? 


Data science includes big data, artificial intelligence, and 
machine learning. Data science is helping risk managers 
approach the identification of risk variables in a new way. 
This should allow risk managers to isolate innumerable risk 
factors and understand their relationships at a greater level 
of complexity. 


In the insurance world, for example, analysts are bring- 
ing together public databases, social data, crediting rat- 
ing data, and unstructured data to understand risk at the 


experience? Or what drives a firm's vulnerability to cyber risk: 
systems, processes, or people? 


Finding the answers to such questions is important, but practi- 
calities often impose their own limits. Analytical resources may 
not be available. The loss data that can be used to isolate and 
statistically examine the power of each risk variable may be lim- 
ited in quantity, quality, or descriptive detail. 


That being said, new streams of data offering an undreamt level 


of granularity, analyzed by means of machine learning and mas- 


sive cloud-based computational power, may prove revolutionary 


in the identification of discrete risk factors (Box 1.5). 


1.6 STRUCTURAL CHANGE: FROM 
TAIL RISK TO SYSTEMIC CRISIS 


Some risk events have a diabolical side that seems designed to 
outwit the human mind. This may be because such events are 
very rare and extreme or they arise from unobserved structural 
changes in a market. 


In complex systems, such as the global climate or financial 
markets, extremely rare events can happen over long time 
periods, even if the system remains structurally stable. These 


risks, really an extreme version of unexpected loss, are difficult 


to identify in the data because (by definition) there are not a 
lot of them. 


Tail risk events (or outliers) might be rare, but a long enough 
time series of data should reveal evidence of their existence. 
Where data are scarce, modern risk management can some- 
times apply statistical tail risk techniques, utilizing a branch of 
statistics called Extreme Value Theory (EVT) to help make tails 


more visible and to extract the most useful information.'? 


19 For accessible reviews of the literature, see A. Pazarbasi, “Tail Risk 
Literature Review,” Alternative Investment Analyst Review; D. Levine, 
“Modelling Tail Behavior with Extreme Value Theory,” Risk Manage- 

ment, September 2009, Issue 17. 


individual level—the “segment of one,” as the industry 
calls it. 


Across the risk industries, massive computing power can now 
help risk managers spot patterns and relationships in data 
more quickly. Unsupervised machine learning can help the 
risk manager identify the “unknown unknowns” through iden- 
tifying clusters and correlations without specifying the area of 
interest in advance. Risk managers are about to enter an age 
of plenty in terms of data volume and risk factor analysis. 


When the structure underlying a system changes, risk increases. 
Large loss events may suddenly increase in frequency or size. 
Risk factors might suddenly move in lockstep. Entirely new 
sources of loss, in terms of risk type, may appear. In this case, 
more historical data will not help and “once-in-100-year” events 
might pop up once a decade until the structural problem is 
fixed, or proper risk management processes are adopted. 


A change in events does not only affect tail risk—the amounts 
of EL and unexpected loss might change as well. Risk manag- 
ers are continuously trying to assess the risk in systems that are 
changing in ways that might, or might not, matter. 


While this is a problem for all risk managers, there is a spe- 
cial twist for those working in the financial markets. Unlike 
most mechanical and natural systems, human systems (such 
as financial markets) are subject to constant structural change 
from levers such as social behavior, industry trends, regulatory 
reforms, and product innovations. 


An important recent example was the growth in subprime 
mortgage lending by US banks and other financial institutions 
starting in the early 2000s and its role in the creation of the 
2007-2009 global financial crisis. Unusual types of mortgages, 
such as interest-only mortgages and below market initial loan 
rates, rose quickly from comprising a small fraction of total loans 
originated to a substantial share of all new mortgages. At the 
same time, the proportion of loans that were subprime (i.e., 
mortgages to borrowers with blemished credit histories) also 
increased. Structural change—looking out for it and modeling 
its future effects—is our fifth building block of risk management. 


1.7 HUMAN AGENCY AND 
CONFLICTS OF INTEREST 


Structural change is not the only wild card in financial systems. 
Unlike natural systems, human systems are run by intelligent 
participants that can react to change in a self-reflective or even 
a calculating manner. 
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For example, consider a trader who carefully attempts to 
predict the effects of a market reform. The trader's peers 

can try to second guess his or her predictions. Perhaps a regula- 
tor that helped draft the reform joins a financial consulting 

firm and advises the industry on how to circumvent the 
safeguard. 


This type of behavior is true inside the firm as well. Those who 
understand how risk is generated and managed are in the best 
position to game it. They also often have the least incentive to 
make the risk transparent: Why would they broadcast the poten- 
tial for unexpected loss levels or tail risks? This is one reason 
many financial firms employ three lines of defense: 


1. First line: Business line that generates, owns, and manages risk; 


2. Second line: Risk managers that specialize in risk manage- 
ment and day-to-day oversight; and 


3. Third line: Periodic independent oversight and assurance, 
such as an internal audit. 


The safeguards do not always work. Risk management systems 
always have loopholes and become obsolete quickly in the face of 
industry innovations. For example, in a worrying number of rogue 
trading cases in the banking industry, the trader had first worked 
in the middle or back office and thus understood the loopholes 

in the risk management infrastructure. Sometimes traders and 
business leaders deliberately undermine the credibility of risk man- 
agement systems. Understanding the role of human agency, self- 
interest, and conflict of interest, is the sixth building block of risk 
management. 


1.8 RISK AGGREGATION 


Given the many different types of risk and risk metrics, a key 
problem in risk management is the challenge of seeing the big- 
ger picture. How can senior managers identify the riskiest busi- 
nesses on their watch and tell when the firm's aggregate risk is 
approaching intolerable levels? 


Market risk tends to be the most amenable risk type to quan- 
tification and aggregation but controlling this risk factor is 
challenging. Until recent decades, market risk exposures were 
largely compared in terms of the notional amount held in each 
asset (e.g., USD 10 million of a large capitalization stock) rather 
than both the notional amount held in each asset and their 
volatilities. 


This was never satisfactory. Some stocks and industry sectors 
were historically more volatile in price than others. Making mat- 
ters worse, it made no sense to use notional amounts to com- 
pare the risks taken by, for example, the US Treasury trading 
desk and a desk dealing in a volatile commodity. 


The advent of the derivatives markets in the 1970s made 

it imperative to improve market risk measures. Derivatives 
can be highly volatile and are an easy way to build up large 
risk exposures. Their value and their risk are driven by fac- 
tors only tangentially related to the notional value of the 
instrument. 


Portfolios of derivatives are often designed so that the indi- 
vidual instruments offset each other's market risk. It therefore 
makes no sense to treat the aggregate notional amounts in the 
portfolio as an indicator of portfolio risk. 


Options trading specialists developed their own measures 

of risk, including delta (i.e., sensitivity of option value to 

a change in the value of the underlying) and theta (i.e., 

the change in option value as the option expiration date 
approaches). These measures, commonly referred to as the 
“Greeks,” were—and still are—invaluable risk measures on the 
options trading desk. 


The Greeks are of limited help at an enterprise level, however, 
because they cannot be added together; nor do they imply the 
same level of risk across markets (e.g., delta in foreign exchange 
versus commodity markets). Large financial institutions needed a 
risk measure that was much more comprehensive. 


VaR was a popular risk aggregation measure in the years leading 
up to the crisis. However, it was not calculated using a set meth- 
odology, and there were at least three principal methodologies 

(and many ways to implement them). In fact, the concept of VaR 
also involves many simplifying assumptions. 


The concept proved almost too useful. It was quickly applied 
to manage risk across much longer time horizons, across many 
institutions and whole industries, and across many different 
risk types. 


The shortcomings of VaR as a risk measure were understood 
well before the global financial crisis of 2007-2009, but the crisis 
brought these weaknesses to the forefront and led to a reaction 
against over-dependence on this risk metric. VaR does, however, 
remain an important tool for risk managers. 


Bank regulators have tried to improve the way VaR is calculated, 
make its calculation across the industry more consistent and reli- 
able, and strengthen the role of supplementary risk measures 
such as ES and worst-case scenario analysis (Box 1.6). 


The inherent drawbacks of VaR have encouraged risk manag- 
ers to adopt a broader approach to risk metrics. Aggregate 
risk measures are useful in their place, but they inevitably fail 
to capture key dimensions of risk and must be supplemented 
with other approaches. Understanding risk aggregation and its 
strengths and weaknesses is our eighth risk management build- 
ing block. 
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BOX 1.6 TAKING ACCOUNT OF TAIL RISK 


VaR only looks at the largest loss at a given likelihood thresh- 
old; it does not examine the size of losses beyond this thresh- 
old. For that reason, it is often said to ignore tail risk (i.e., the 
effect of very severe but rare events). After the global finan- 
cial crisis of 2007-2009, various remedies for this were put 
forward. One of these was expected shortfall (ES), which is a 
statistical measure designed to quantify the mean risk in the 
tail of the distribution beyond the cut-off of the VaR measure. 


Banks and their regulators also turned to scenario stress test- 
ing and reverse stress testing. Scenario analysis and stress 
testing ignore the problem of measuring the frequency or 
probability of a rare event. Instead, they focus analytical 
resources on imagining a reasonably plausible worst-case 
scenario that may develop in stages over an extended period. 


1.9 BALANCING RISK AND REWARD 


A major advantage of a VaR approach is that it helps the firm 
to compare the risk exposures of different business lines. Firms 
come to understand the expected and unexpected loss levels 
associated with different activities. Furthermore, the firm can 
protect itself against these risks by making sure that its risk 
capital—also known as economic capital—is large enough to 
absorb the unexpected risk. 


In the banking industry, economic or risk capital is the amount 
of capital the firm requires based on its understanding of its 
economic risks. It is distinct from regulatory capital, which is cal- 
culated based on regulatory rules and methodologies. Economic 
capital and regulatory capital are sometimes in alignment, but 
often generate quite different numbers. 


Economic capital provides the firm with a conceptually satisfying 
way to balance risk and reward. For each activity, firms can com- 
pare the revenue and profit they are making from an activity to 

the amount of economic capital required to support that activity. 


A firm can then take these risk capital costs into account when it 
prices a product and when it compares the performance of differ- 
ent business lines. There are clear reasons to do this. For exam- 
ple, Business A might attract significant costs every year in terms 
of EL but incur little in the way of unexpected losses. Business B, 
on the other hand, might attract very little in the way of EL but 
suffer from very large losses at the end of every business cycle. 


Without a sophisticated risk-adjusted analysis of profitability, 
it will be difficult to compare Business Division A and Busi- 
ness Division B. Most likely, Business Division B will look very 
attractive during the benign part of the cycle. The firm might 
decide to cut product prices to build up business volume. This 


The risk manager develops the scenario—or is handed it 
by a regulator—and then analyzes the impact of the event 
on the institution given its risk exposures and reactive 
capabilities. Scenario analysis and stress testing can be 
highly quantitative and involve complex modeling, but the 
numbers are all focused on assessing severity rather than 
frequency. 


Reverse stress testing starts at the other end. The institution 
applies its modeling capabilities to work out how bad losses 
could get, then works backwards to try to understand how 
those losses were linked to its exposures and activities. How 
could the institution manage its activities to avoid the worst 
that might happen? 


frequently results in unexpected losses when the cycle turns. 
(Banking industries globally have tended to behave in exactly 
this manner, exacerbating the tendency for whole economies to 
go from boom to bust.) 


To factor in the cost of risk of both expected and unexpected 
losses, the bank can apply a classic formula for risk-adjusted 
return on capital (or RAROC):2° 


RAROC = Reward/Risk 


where reward can be described in terms of After-Tax Risk- 
Adjusted Expected Return, and risk can be described in terms of 
economic capital. 


After-Tax Net Risk-Adjusted Expected Return also needs to be 
adjusted for Expected Losses: 


RAROC = After-Tax Net Risk-Adjusted Expected Return/ 
Economic Capital 


For an activity/portfolio to add value to shareholders (and the 
stock price), RAROC should be higher than the cost of equity 
capital (i.e., the hurdle rate or minimum return on equity capital 
required by the shareholders to be fairly compensated for risk). 


There are many variants on the RAROC formula, applied across 
many different industries and institutions. Their level of sophis- 
tication varies but all have the same purpose: to adjust perfor- 

mance for risk. Four day-to-day applications stand out. 


e Business comparison: RAROC allows firms to compare the 
performance of business lines that require different amounts 
of economic capital. 


20 See M. Crouhy, D. Galai, and R. Mark, The Essentials of Risk Manage- 
ment, 2" ed. (Ch. 17), McGraw Hill, 2014. 
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BOX 1.7 HARD NUMBERS? 


Risk reports are full of numbers that look objective and 
empirical. Risk analyses perform a confusing array of tasks 
(Figure 1.6). Some are intended to quantify risk in some 
absolute sense—for example, Risk Probability xExposure 

x Severity—though the data and the modeling that underpin 
these numbers vary in quality. 

Other risk reports track some component of this equation, 
such as risk exposure. However, a drop in one risk compo- 
nent may not mean risk is declining, unless everything else 
remains the same. For example, a bank losing market share 
might remedy this by loosening credit quality: The drop in 
loan volume may not mean less credit risk. 


Other numbers track key risk indicators (IRIs), which are quantita- 
tive measurements that are used to assess potential risk expo- 
sures. For example, a staff turnover metric might act as a KRI for 
a type of operational risk. In this case, the relationship of the risk 
indicator to the risk under examination is often based on judg- 
ment. Decision-makers looking at risk metrics going up and down 
sometimes fool themselves that they are watching risk itself, 
when they are really watching a risk proxy of uncertain utility. 


Through either judgment or calculation, businesses must bal- 
ance risk and reward. That makes RAROC and similar mea- 
sures the ninth building block of risk management. 


e Investment analysis: A firm typically uses the RAROC formula 
that uses projected numbers to assess likely returns from 
future investments (e.g., the decision to offer a new type of 
credit product). RAROC results based on past returns can 
also be used to determine if a business line is providing a 
return above a hurdle rate demanded by the equity investors 
who are the providers of the firm's risk capital. 


e Pricing strategies: The firm can re-examine its pricing strat- 
egy for different customer segments and products. For exam- 
ple, it may have set prices too low to make a risk-adjusted 
profit in one business segment, while in another it may have 
the ability to reduce prices and increase market share (and 
overall profitability). 

e Risk management cost/benefit analysis: RAROC analyses can 
help a firm compare the cost of risk management (e.g., risk 
transfer via insurance, to the benefit of the firm). 


There are many practical difficulties in applying RAROC, 
including its dependence on the underlying risk calculations. 
Managers of business divisions often dispute the validity of 
RAROC numbers, sometimes for self-interested reasons. As 
with other types of risk metrics (Box 1.7), decision-makers 
should always understand what the number means and what is 
driving it. 


Quantification: 
(Probability X 
Exposure X 
Severity) 


Key Performance 


Indicator (Tracking Tracking Some 


Some Component of 
Quantification, for 


Ba Example, Exposure 


Performance. 
Factor Associated [ay 
with Risk) 


Key Risk Indicator 
(Tracking Some 
Factor Closely 
Associated with 
Risk) 


Risk Ranking 
(Judgment or 
Analysis Based) 


GMA Risk metrics capture many different 
dimensions of risk. 


1.10 ENTERPRISE RISK 
MANAGEMENT (ERM): MORE THAN 
ADDING UP RISK? 


One challenge to an effective firm-wide risk management 
process is that at many firms, business divisions manage their 
risk in a siloed approach (i.e., where each division manages 
its own exposures independently without considering the 
risk exposures of other divisions). Financial risk managers 
have long recognized that they must overcome this silo- 
based risk management process to build a broad picture 

of risk across risk types and business lines: enterprise risk 
management (ERM). 


We devote Chapter 8 to ERM, the tenth building block of risk 
management. ERM projects encourage firms to think about 
enterprise risk using tools, such as a clear statement of corporate 
risk appetite, a cohesive approach to risk management rough 
global risk committees, and so on. 


Oftentimes, historic ERM efforts have overemphasized the need 
to express risk as a single number such as economic capital or 
VaR. Expressing risk as a single number was too simplistic an 
approach. 
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BOX 1.8 DIGITAL RISK MANAGEMENT? 


The digital era is changing the face of business in many ways, 
including the new ways that corporations interact with cus- 
tomers (mobiles, sensors) and new risks (cyber risk, privacy 
regulations). How will the digital era change the working day 
of the risk manager over the next few years? 


According to a survey by McKinsey in 2017, the digital trans- 
formation of risk functions in financial institutions is occurring 
more slowly than the transformation of customer-facing oper- 
ations. However, big changes are underway, including: 


e Drawing information from a wider set of sources to apply 
advanced analytics to measure risk, for example, applying 
big data analytics to credit and operational risks; 


e Faster and real-time decision-making based on more auto- 
mated risk processes, for example, automated corporate 
credit scoring; and 


Perhaps the biggest lesson of the 2007-2009 global financial cri- 
sis was that risk cannot be reduced to any single number. 


e It is multi-dimensional, so it needs to be approached from 
many angles, using multiple methodologies. 


e It develops and crosses risk types, so even a wide view of risk 
types—but at only one point in time—may miss the point. 


e It demands expert judgment that is combined with applica- 
tion of statistical science. 


Measuring risk in economic capital terms is important for bal- 
ancing risk and reward. However, the key factor that saves an 
institution may come from another risk analysis tool—perhaps 
from worst-case scenario analysis or some new digital approach 
(Box 1.8). Firms need a comprehensive view of risk and this can 
only be built using a range of tools and a healthy amount of 
curiosity. 


For example, insights might come from a risk manager digging 
deep and realizing the implications of a structural change in 

a market. It might come from looking at the competition and 
realizing that behavior across the industry might precipitate a 
market crisis. Or it might come from a new risk indicator such 
as a market-derived credit risk indicator that signals a change in 
credit condition at a major counterparty early enough for action 
to be taken. 


That moment of realization, however, must be followed up with 
actions. The modern approach to ERM must also look at the 
processes that link information to action and also look at the 


e Greater productivity, as risk processes are engineered 
away from paper documents towards automated work 
flows, for example, for reviews of documentation. 


The survey found that there are big challenges involved with 
digitizing risk management in the form of legacy infrastruc- 
ture, limited data, and the need for new digital skills. Data 
scientists have the critical skill set for digitized risk functions 
and may soon be in as much demand as “rocket scientist” 
risk modelers. 


Source: McKinsey & Co and Institute of International Finance: 
The Future of Risk Management in the Digital Era, October 
2017; see Exhibit 23 regarding the need for data scientists in 
digital risk management functions. 


firm's corporate governance and risk culture, as we discuss in 
Chapters 3 and 4. If the firm embarks on an aggressive push 
for growth only to realize that risks have not been fully under- 
stood, what is its process for changing course? Has that fire drill 
been tested? 


ERM is no longer simply about aggregating risk across risk 
types and businesses. It is about taking a more holistic 
approach to the entire risk management process and its rela- 
tionship to strategic decisions. It is about the way the firm 
thinks about risk, and in doing so establishes its corporate 
identity (Figure 1.7). 


e Across Businesses 
and Risk Types 
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of Risk Analysis 
Tools Looking at 
Various Time 
Horizons 


Join Up Risk 
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360 Degree 


Environment Culture 
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ERM needs to think a bit bigger. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


1.1 


1.2 


1.3 
1.4 
1.5 
1.6 
1.7 


1.8 
1.9 


1.10 


1.11 


1.12 


1.13 


1.14 


1.15 


1.16 


1.17 


1.18 


Describe and provide examples of fundamental risk fac- 
tors and their sub-risk factors that drive the probability of 
a firm's default 


What are the four components of a risk management 
process? 


Provide an example of what is meant by basis risk. 
What are two types of liquidity risk? 

What drives market risk across all markets? 

What is meant by strategic risk? 


Describe how risk managers become involved in business 
risk. 


What Is reputation risk? Provide examples in your answer. 


What is meant by economic capital? Contrast it with 
regulatory capital. 


What is the basic idea of RAROC? Provide the RAROC 
equation in your answer. 


What are a few applications of RAROC? Provide exam- 
ples in your answer 


What is counterparty risk and give an example? 


If a bank's management is told that under normal market 
conditions, the daily VaR at the 97.5% confidence level for its 
trading portfolio is USD 14 million. What does that mean? 


Provide a list of examples of risk management that can 
be seen in early history. 


Provide a list of the key risk management building 
blocks. 


Provide a list of the four choices involved in the classic 
risk management process. 


Unsupervised machine learning can help the risk man- 
ager identify the “unknown unknowns” through identify- 
ing clusters and correlations without specifying the area 
of interest in advance. 

A. True 

B. False 


Banking regulators are encouraging tools that support 
using advanced analytical formulas to calculate regula- 
tory operational risk capital. 

A. True 

B. False 


1.19 The three lines of defense consists of: 
e First line: Risk managers that specialize in risk man- 
agement and day-to-day oversight; 


e Second line: Business line that generates, owns and 
manages risk; and 


e Third line: Periodic independent management over- 
sight and assurance such as internal audit. 
A. True 
B. False 


1.20 Reverse stress testing applies its modeling capabilities to 
estimate the size of potential losses. 
A. True 
B. False 


1.21 Frank Knight referred to uncertainty as measurable risk. 
A. True 


B. False 


1.22 The expected shortfall is the expected loss in the tail of 
the distribution. 
A. True 
B. False 


1.23 Business risk involves making large, long-term decisions 
about the firm's direction, often accompanied by major 
investments of capital, human resources, and manage- 
ment reputation. 

A. True 
B. False 


1.24 Enterprise Risk Management is the management of risk 
at the business unit level. 
A. True 
B. False 


1.25 Track key risk indicators are quantitative measurements 
that are used to assess potential risk exposures. 
A. True 
B. False 


1.26 Business risk applies only to large non-financial corporates. 
A. True 
B. False 


1.27 Expected shortfall (ES) is 
A. a statistical measure designed to quantify the mean 
risk in the tail of the distribution beyond the cut-off 
of the VaR measure. 
B. the case where RAROC fails to be greater than a 
hurdle rate. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


1.28 Tail risk techniques are dealt by 
A. Extreme Value Theory. 
B. VaR Theory. 
C. Probably of Default Theory. 
D. standard deviation. 


1.29 Operational risk includes 
A. legal risk. 
B. business risk. 
C. reputation risk. 
D. currency risk. 


1.30 Expected loss (EL) for a loan is based on 
A. probability of default (PD). 
B. exposure at default (EAD). 
C. loss given default (LGD). 
D. all of the above 


1.31 Which of various Greek measures can be added together 


across different currencies? 
A. Delta 

B. Gamma 

C. Theta 

D. None of the above 


1.32 Operational risk includes 


A. 
B. 
c. 
D. 


counterparty risk. 
cyber risk. 
reputation risk. 
business risk. 


1.33 The purpose of economic capital is to absorb 


A. 
B. 
c. 
D. 


expected loss. 
unexpected loss. 
tail loss. 

all of the above. 


1.34 Reputation risk 


A. 


B. 
C. 
D. 


is easy to quantify. 

is the responsibility of the chief market risk officer. 
cannot be managed at all. 

should be monitored by the board. 
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ANSWERS 


1.1 


1.2 


1.3 


1.4 


1.5 


1.6 


1.7 


PD of a firm is driven by a firm's strength or weakness in 
terms of key variables such as financial ratios, industry 
sector, country, quality of data, and management quality. 
Each fundamental set of risk factors is driven by sub- 
factors. For example, management years of experience is 
a sub-factor of the management quality variable. 


The risk manager first attempts to identify the risk then 
next analyzes the risk. Subsequently the risk manager 
assesses the impact of any risk event and ultimately man- 
ages the risk. In summary, the four components are 


1. Identify the risk, 
2. Analyze the risk, 
3. Assess Impact of risk, and 
4. Manage the risk. 


A form of market risk known as basis risk occurs if a posi- 
tion intended to hedge another position might do so 
imperfectly. 

The two types are funding liquidity risk and trading 
liquidity risk 

Funding liquidity risk refers to the case where a firm can- 
not access enough liquid cash and assets to meet its obli- 
gations. For example, banks take in short-term deposits 
and lend the money out for the longer term at a higher 
rate of interest. 


Trading liquidity risk refers to a case where markets 
temporarily seize up. For example, if market participants 
cannot, or will not, take part in the market, this may force 
a seller to accept an abnormally low price, or take away 
their ability to turn an asset into cash and funding at any 
price. 


Market risk is driven by (1) general market risk and (2) 
specific market risk. General market risk is the risk that an 
asset class will fall in value, leading to a fall in the value 
of an individual asset or portfolio. Specific market risk is 
the risk that an individual asset will fall in value more than 
the general asset class. 


Strategic risks involve making large investments, in long- 
term decisions about the firm's direction, that can affect 
its future direction and strategy. 


Risk managers have specific skills they can bring to bear 
in terms of quantifying aspects of business risk. For 
example, credit risk experts often become involved in 


1.8 


1.9 


1.10 


1.11 


managing supply chain risk. Risk managers should be 
involved at the start of business planning. For example, 
it may be impossible to fund the construction of a power 
station without some form of energy price risk manage- 
ment strategy in place. 


Reputation risk is the danger that a firm will suffer a sud- 
den fall in its market standing or brand with economic 
consequences. Rumors can be fatal in themselves. For 
example, a large failure in credit risk management can 
lead to rumors about a bank’s financial soundness. Inves- 
tors and depositors may begin to withdraw support in 
the expectation that others will also withdraw support. 
Unethical behavior of managers in the firm can hurt its 
reputation. 


Economic (risk) capital is the amount of capital the firm 
requires based on its understanding of its economic risks. 
Regulatory capital is calculated based on regulatory rules 
and methodologies. 


RAROC = Reward/Risk. Reward can be described 

in terms of After-Tax Risk-Adjusted Expected Return. 
Risk can be described in terms of economic capital. 
RAROC should be higher than the cost of equity capi- 
tal. RAROC = After-Tax Net Risk-Adjusted Expected 
Return*/economic capital 


*After-Tax Expected Return is adjusted for EL 


RAROC can be used in business comparison, investment 
analysis, pricing strategy, and cost-benefit analysis. 


e Business comparison: For example, compare the 
performance of business lines that require different 
amounts of economic capital. 


e Investment analysis: For example, assess likely 
returns from future investments (e.g., the decision 
to offer a new type of credit product). 

e Pricing strategies: For example, examine pricing 
strategy for different customer segments and prod- 
ucts (e.g., it may have set prices too low to make a 
risk-adjusted profit). 

e Risk management cost/benefit analysis: For 
example, compare the dollar cost of risk manage- 
ment (e.g., risk transfer via insurance, to the dollar 
benefits). 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


1:12 


1.13 


1.14 
1.15 


Counterparty risk is the risk that the counterparty to 
a trade will fail to perform. Counterparty risk includes 
settlement or Herstatt risk. 


This VaR means that with respect to its trading port- 
folio, under normal market conditions, there is a 2.5% 
probability that the loss can be more than $14 million in 
one day. 


See Figure 1.2 in Chapter 1 


1. The risk management process 

2. Identifying known and unknown risks 

3. EL, unexpected loss, and tail loss 

4. Risk factor breakdown 

5. Structural change from tail risk to systemic crisis 
6. Human agency and conflicts of interest 

7. Typology of risks and risk interactions 

8. Risk aggregation 

9. Balancing risk and reward 


10. Enterprise risk management (ERM) 


1.17 
1.18 


1.19 


1. Avoid Risk 
2. Retain Risk 
3. Mitigate 
4. Transfer 


True 


False because the Basel Committee signaled a change 
of direction in 2016. Basel encourages banks to under- 
stand their operational risk using a variety of tools but 
capital allocation would be based on a simpler stan- 


dardized approach using weighted bank size with a mul- 


tiplier based on the bank's record of larger operational 
risk losses. 


False because business line is traditionally referred to as 
the first line and risk management is referred to as sec- 
ond line. 


1.20 


1.21 


1.22 
1.23 
1.24 
1.25 
1.26 
1:27 


1.28 
1.29 
1.30 
1.31 


1.32 
1.33 
1.34 


True because risk mangers work back from the reverse 
stress test to try to understand how those losses were 
linked to its exposures and activities. The goal is to help 
an institution risk manage its activities to avoid the worst 
that might happen. 


False because Knight said measurable risk applies to 
decision making in which the outcome of the decision 
is unknown, but the decision maker can fairly accurately 
quantify the probability associated with each outcome 
that may arise from that decision. It is his definition 

of risk, not uncertainty. This Knight called uncertainty 
“unmeasurable uncertainty” or “true uncertainty.” 


True 
False 
False 
True 
False 


C. a statistical measure designed to quantify the mean 
risk in the tail of the distribution beyond the cut-off of 
the VaR measure. 


A. Extreme Value Theory. 
A. legal risk. 
D. because EL = EAD x LGD x PD 


D. because Greeks for example do not imply the 
same level of risk across markets (e.g., delta in foreign 
exchange versus commodity markets). 


B. cyber risk. 
B. unexpected loss. 


D. should be monitored by the board. 
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How Do Firms 
Manage Financial 
Risk? 


E Learning Objectives 


After completing this reading you should be able to: 


® Compare different strategies a firm can use to manage its © Apply appropriate methods to hedge operational and 
risk exposures and explain situations in which a firm would financial risks, including pricing, foreign currency, and 
want to use each strategy. interest rate risk. 

® Explain the relationship between risk appetite and a firm's ® Assess the impact of risk management tools and instru- 
risk management decisions. ments, including risk limits and derivatives. 


® Evaluate some advantages and disadvantages of hedging 
risk exposures and explain challenges that can arise when 
implementing a hedging strategy. 
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It might seem obvious, given the discussion in Chapter 1, that 
firms should manage financial risk. However, it is not that simple 
in the corporate world. Specifically, a firm must answer several 
questions. 


e Does managing risk make sense from the perspective of the 
firm's owners? 


e What is the precise purpose of a risk management strategy? 


e How much risk should the firm retain? What risks should 
be managed? What instruments and strategies should be 
applied? 


The wrong answers can turn risk management itself into a major 
threat to the firm. 


Figure 2.1 lays out these issues as a road map. But while this 
chapter follows this road map, the risk management process 
itself is iterative. For example, once a firm understands the costs 
and complexities of risk management for a particular business 
unit, it might revisit whether it should be involved in that risk- 
generating business activity at all. 


2.1 BACKGROUND: THE MODERN 
IMPERATIVE TO MANAGE RISK 


Firms have always managed their core business risks. They try to 
understand what drives customer demand, cultivate a range of 
suppliers for critical components, backup their data, and insure 
their warehouses. However, they have not always managed finan- 
cial risks with the same intensity. So why do firms today stress 
the importance of financial risk management? 


The answer lies in a potent mix of need and opportunity. 


e Need: The need to manage financial risk grew significantly 
from the 1970s as markets liberalized (e.g., commodities, 
interest rates, credit, and foreign exchange), price volatility 
shot up, and the global economy gathered steam. 


e Opportunity: The growth in market volatility helped spawn 
a fast-evolving selection of financial risk management instru- 
ments in the 1980s and 1990s, giving firms many more 
opportunities to manage their risk profiles. 


There was a rapid growth in instrument types after the 1970s 
that was fueled by theoretical advances such as the Black- 
Scholes-Merton option pricing model and securitization 
technology.' This process continued with the more recent arrival 


1 Securitization involves the packaging (i.e., pooling) of loans and 
receivables and the issuance one or more securities backed by the pool. 
Examples include mortgage-backed securities, asset-backed securities, 
and collateralized loan obligations. Securitization is explained further in 
Chapter 4. 


1. Identify risk appetite. 
e Identify key corporate goals and risks. 
e Should we manage risk? 
e Which risks should we manage? 
e Create a risk appetite statement (broad terms). 


2. Map risks, make choices. 

e Map risks. 

e Assess or measure risk/impact. 

e Perform risk/reward analysis of risk management 
strategy (RAROC etc.) 
e Prepare comparative cost/benefit of risk manage- 

ment tactics. 
e Choose basic strategy/tactics. 
e Create a risk appetite statement (detailed terms). 


3. Operationalize risk appetite. 
e Express risk appetite in operational terms. 
e Assess risk policies. 
e Set risk limit framework. 
e Rightsize risk management team. 
e Resources, expertise, infrastructure 
e Incentives and independence 


4. Implement. 
e Choose tactics/instruments. 
e Make day-to-day decisions. 
e Establish oversight. 


5. Re-evaluate regularly to capture changes in: 
e Risk appetite/risk understandings/stakeholder 
viewpoints, 
e Business activity and risk environment (remapping), and 
e New tools, tactics, cost-benefit analyses. 


Risk Management Road Map: Five 
Milestones. 


of credit and weather derivatives in the 1990s along with the 
ongoing emergence of cyber risk transfer instruments beginning 
in the twenty first century. 


Two decades of growth in the principal derivatives markets are 
captured in Figure 2.2. The numbers behind this figure include 
trading as well as end-user risk management. The distinct level- 
ing off of growth in some risk market categories has been driven 
by a decline in speculative use, tightening bank regulation,? and 
a decline in interest rates and market volatility following the 
2007-2009 global financial crisis. At the same time, there are 


2 For example, see A. Nag and J. McGeever, “Foreign Exchange, the 
World’s Biggest Market, Is Shrinking,” Reuters, February 2016: https:// 
www.reuters.com/article/us-global-fx-peaktrading-idUSKCNOVK1UD. 
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OTC derivative notional volumes by risk type (1999-2019) 


(i.e., within days or hours) in ways that can either 
reduce risk or create a speculative position. Fur- 


USD trn i e 
thermore, this change may not be immediately 
apparent. 

306 For example, a firm with an exposure to a variable 


interest rate might use a complicated instrument that 
dampens this exposure, provided that interest rates 
stay within certain bounds. But the same instrument 

400 might increase the firm's financial exposure if interest 
rates break through a given ceiling. Is this risk man- 
agement, or a bet? 


200 Modern corporations can potentially have risk pro- 
files traditionally associated with investment banks. 
All that is needed is a computer, the right passwords, 
and (hopefully) the approval of the board. The grow- 
ing resources devoted to corporate risk management 


2001 2004 2007 2010 2013 2016 2019 5 pi 
aa A exist partly to ensure these new corporate capabili- 
Derivatives risk Category š 2 
— Total (all risk — Credit Derivatives — Foreign Exchange — Interest Rate ties are used wisely. 
categories) 
EMME OTC derivative notional volumes by risk type 


(1999-2019). 


Source: BIS Derivatives Statistics, see https://www.bis.org/statistics/about_derivatives_ 


stats.htm?m=6%7C32. Reprinted by permission. 


other risk transfer markets (e.g., cyber risk management) that 
are continuing to grow rapidly. 


Risks from Using Risk Management 
Instruments 


Risk management instruments allow firms to hedge economic 
exposures, but they can also have unintended negative con- 
sequences. They can quickly change a firm’s entire risk profile 


Hedging Philosophy 


Just because a risk can be hedged does not mean 
that it should be hedged. Hedging is simply a tool 
and, like any tool, it has limitations. 


For example, hedging can only stabilize earnings within a 
relatively short time horizon of a few years. Hedging also 
has costs that are both transparent (e.g., an option pre- 
mium) and opaque (e.g., the dangers arising from tactical 
errors and rogue trading). Meanwhile, as Box 2.1 notes, 
equity investors (i.e., the owners of the firms) might feel that 
risk is diversified away in the context of their investment 
portfolios. 


BOX 2.1 DO EQUITY INVESTORS WANT MANAGERS TO HEDGE RISK? 


The answer is generally “yes” if the investor has concentrated 
their investment in a specific firm, (e.g., a family-owned firm 
or even a state-owned firm). The answer is potentially “no” in 
the more common case where the investor holds the invest- 
ment as part of a diversified portfolio. 


Note that in a large portfolio, any risks specific to the firm in 
question are diversified away. Reducing firm-specific volatil- 
ity in the value of an individual stock is therefore of minimal 
value to investors. 


Meanwhile, systematic risks that are not diversified away 
by portfolio diversification (e.g., interest rate risk) can be 
managed at the portfolio level by the investor. The investor, 
therefore, receives little benefit from such risk management 


at the level of the individual firm. At the same time, some 
investors want exposure to certain macroeconomic risks (e.g., 
the price of oil or gold). 


The argument against hedging risk at the balance-sheet level 
is well grounded in finance theory. However, finance theory 
itself makes several unrealistic assumptions about financial 
markets. This chapter explores powerful “real-world” counter 
arguments in favor of hedging. 


Meanwhile, a decades-long series of empirical studies aimed 
at revealing whether hedging helps firms or not (e.g., in terms 
of raising their stock price compared to non-hedgers) has yet 
to deliver a knock-out blow for any one side of the argument. 
The answer may turn out to vary across different industries. 
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These theoretical and practical objections to hedging should 
lead firms to question whether and how risk should be man- 
aged. But there are also powerful counterarguments in favor 
of hedging. 


The theoretical arguments against hedging rest on the idea 
that markets are, in some sense, perfect and frictionless. In 
fact, there are many market imperfections. Hedging is often 
intended to reduce the chance of financial distress, which 
incurs both direct costs (e.g., bankruptcy costs) and major 
opportunity costs. A firm hit by an unexpected market loss 
will reduce its investment in other areas and move more 
cautiously. 


Improving revenue stability also sends an important message 
to potential creditors who may be concerned about the firm's 
soundness. Creditors usually get no upside from a firm's rev- 
enue volatility. They are only interested in whether the firm 
can fulfill its promises. That's also true for key customers and 
suppliers. 


In addition, hedging can make sense for investors if it is used 
as a tool to increase the firm's cash flows (rather than to 
reduce equity investor risk). For example, firms may need to 
offer their customers a stable price over the next three years, 
which may be impossible without hedging a key cost input. 
If hedging like this increases customer demand, then equity 
investors are happy. 


Likewise, a firm that commits to supply a product into a for- 
eign market in one year’s time will need to hedge the relevant 
currency to lock in profit margins. For managers, perhaps the 
most important operational benefit of hedging is the plan- 
ning benefit. Without the use of hedging, the random uncer- 
tainty of a fluctuating currency can make planning almost 
impossible. 


Finally, equity investors are not the only stakeholders, and 
certainly not the only decision-makers. Furthermore, these 
other stakeholders/decisionmakers may have different hedging 
needs and desires. Whereas managers, regulators, and general 
staff expect the firm to be financially sound and protected 
from sudden mishaps, managers may have incentives to use 
hedging to ensure their firm meets key short-term targets 
(e.g., stock analyst expectations) that affect their prestige and 
compensation. Risk managers need to pay close attention to 
how derivatives can leverage agency risks. 


There are important arguments for and against hedging, as 
well as a variety of potential motivations. Firms need to explain 
their rationale for hedging in terms of basic aims (e.g., man- 
aging accounting risk, balance-sheet risk, economic risk, or 
operational risk). They also need to be clear on the size of their 
risk appetite. 


2.2 RISK APPETITE—WHAT IS IT? 


Risk appetite describes the amount and types of risk a firm is 
willing to accept. This contrasts with risk capacity, which 
describes the maximum amount of risk a firm can absorb.? 


A recent trend among corporations is to use a board-approved 
risk appetite to guide management and (potentially) to inform 
investors via annual filings. But what exactly is a risk appetite in 
practical terms? It is two things. 


1. A statement about the firm's willingness to take risk in 
pursuit of its business goals. The detailed risk appetite 
statement is usually an internal document that is subject to 
board approval. However, attenuated versions can appear 
in some annual corporate reports. 


2. The sum of the mechanisms linking this top-level statement 
to the firm's day-to-day risk management operations. These 
mechanisms include the firm's detailed risk policy, business- 
specific risk statements, and the framework of limits for key 
risk areas. 


The operational expression of the risk appetite statement should 
also be approved by the board and needs to be congruent with 
a wider set of risk-related signals that the firm sends to its staff 
(e.g., incentive compensation schemes). 


The banking industry, pushed by regulators and a series of cri- 
ses, is perhaps at the forefront of developing risk appetite as a 
concept. Box 2.2 describes how one leading global bank defines 
its risk appetite and sets it to work. 


There is a trend toward making corporate risk appetites more 
explicit, both in terms of the kinds of risks deemed acceptable 
and in terms of forging a link to quantitative risk metrics. How- 
ever, one fundamental question concerns the meaning of the 
phrase risk appetite, which is used to mean many different (if 
related) concepts in the business literature (Box 2.3). 


Is risk appetite the total amount of risk the firm could bear with- 
out becoming insolvent? Or is it the amount of risk the firm is 
taking today? Or the amount that it would be happy to bear at 
any one time? 


In Figure 2.3, the answer is the latter. Here, the risk appetite is 
set well below the firm’s total risk bearing capacity, and above 
the amount of risk the firm is exposed to currently (labeled here 
as the firm's risk profile). The dotted lines are upper and lower 
trigger points for reporting purposes. These are designed to let 


3 For example, from a risk capacity perspective, a bank is not allowed to 
lower its leverage ratio below 3% (where leverage ratio is a measure of 
the bank's tier 1 capital as a percentage of its assets + off balance-sheet 
exposures). 
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BOX 2.2 HOW IS HSBC USING ITS RISK APPETITE STATEMENT? (EXTRACT 


FROM 2016 ANNUAL REPORT) 


“The group's Risk Appetite Statement describes the types 
and levels of risk that the group is prepared to accept in 
executing its strategy. Quantitative and qualitative metrics 
are assigned to 13 key categories, including: earnings, capital 
and leverage, liquidity and funding, interest rate risk in the 
banking book, credit risk, traded risk, operational risk, finan- 
cial crime compliance and regulatory compliance. Measure- 
ment against the metrics: 


e Guides underlying business activity; 
e Informs risk-adjusted remuneration; 


e Enables the key underlying assumptions to be monitored 
and, where necessary, adjusted through subsequent 
business planning cycles; and 


e Promptly identifies business decisions needed to mitigate risk. 


The Risk Appetite Statement is approved by the Board fol- 
lowing advice from the Risk Committee. It is central to the 
annual planning process, in which global businesses, geo- 
graphical regions and functions are required to articulate 
their individual risk appetite statements. These are aligned 
with the group strategy, and provide a risk profile of each 
global business, region or function in the context of the indi- 
vidual risk categories.” 


Source: Excerpted from HSBC Bank plc, Annual Report and 
Accounts 2016, page 20. 


BOX 2.3 FIRM-LEVEL VERSUS INDUSTRY-LEVEL RISK APPETITE 


The main text talks about the risk 
appetite of an individual firm. But 
how does this relate to the industry- 70% 
level risk appetite discussed in the 
business press? For example, econ- 60% 
omists often survey the risk appetite 50% 
felt by business leaders and use the 
results to track how eager firms are 40% 
to invest and grow (figure). 


80% 


30% 
It may be best to think of a firm's 
n S ; z 9 
internal risk appetite as a relatively 20% 
stable “through the cycle” attitude © 
5 Bae oe 10% 
toward risk at an individual firm. 
Meanwhile, the figure is a “point 0% 


in time” barometer of sentiment 
across the industry, driven largely 
by external environmental factors 
(e.g., Brexit or GDP growth). 
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UK corporate risk appetite—CFO survey data. 
Source: Deloitte, The Deloitte CFO Survey (UK), Q1 2018, page 3. Reprinted by permission. 


the board know if risk taking looks unnaturally low or if there is a 
danger of breaching the agreed risk appetite.* 


4 Our arguments in this paragraph, and the exhibit it refers to, fol- 

low the discussion in Deloitte, Risk Appetite Frameworks, How to 

Spot the Genuine Article, 2014, page 8: https://www2.deloitte.com/ 
content/dam/Deloitte/au/Documents/risk/deloitte-au-risk-appetite- 
frameworks-financial-services-0614.pdf. There are also useful discussions 
in COSO, “Enterprise Risk Management: Integrating with Strategy and 


Another key issue concerns consistency of risk appetite across 
risk types. Generally, firms regard themselves as more or less 
“conservative” or “entrepreneurial” in their attitude toward 
risk. However, this characterization should logically depend on 
the type of risk, and on the firm's risk management expertise. 


Performance,” June 2017, volume 1. Note that the terminology around 
tisk appetite—particularly capacity and tolerance—is not always used 
consistently across the literature. 
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Capacity 


Appetite 


Risk appetite as a metric. 


Source: Deloitte, Risk Appetite Frameworks, How to Spot the Genuine 
Article, 2014, detail from Figure 1, page 8: https://www2.deloitte.com/ 
content/dam/Deloitte/au/Documents/risk/deloitte-au-risk-appetite- 
frameworks-financial-services-0614.pdf. 


For example, a high-tech firm might decide to adopt a very 
high-risk strategic objective in the belief that this is within its 
expertise. It might even believe that it will lose its purpose 
entirely if it does not outpace competitors. Here, taking a bet is 
risk management. However, the same firm could logically take a 
very conservative view of how it manages its foreign exchange 
exposures, Furthermore, the firm may already be managing 
some risks (e.g., cyber risk) much more explicitly and adeptly 
than a more conservative firm across the road. 


Risk appetite is therefore part of a firm's wider identity and 
capabilities. Firms must ask, “Who are we?” and “Who do our 
stakeholders think we are?” well before they get to the point 
of trying to operationalize a risk appetite. (Whether crafting 

a corporate “mission statement” will help in this endeavor is 
another question.) 


In truth, forging a robust link between top-of-house risk appe- 
tite statements and the operational metrics of risk appetite in 

a particular risk type or business line is a challenging task. As 
seen in Chapter 1, there is no single measure of risk, even within 
a single risk type, that allows us to monitor risk at the business 
level and then easily aggregate this to the enterprise level. 


The result is that firms operationalize their risk appetite using a 
multiplicity of measures. For financial firms, this can include busi- 
ness and risk-specific notional limits, estimates of unexpected 
loss, versions of value-at-risk (VaR), and stress testing. The level 
of detail needs to reflect the nature of the risk and the sophisti- 
cation of the risk management strategy. 


2.3 RISK MAPPING 


The risk appetite statement tells a firm what the basic objective 
is. But it also needs to map out its key risks at the cash flow level 
and assess its size and timing over particular time horizons. 


For example, a firm might be exposed to a major commodity price 
risk (e.g., the price of copper) arising from its manufacturing oper- 
ations. In this case a risk manager might begin by looking ahead 
to the amount of copper the firm will need to keep in stock. When 
will it need the metal, and where will it need to be delivered? 
Which local price benchmark most closely represents its risk? 


A firm may also be exposed to foreign exchange risk. The 

first step here is to map out existing positions as well as con- 
tracts and other upcoming transactions. The firm then needs 

to develop a policy that dictates which exposures should be 
hedged (e.g., should hedging include sales that are probable 
but not yet certain?) It also needs to set down the timing of the 
various cash flows as well as understand the assets and liabilities 
exposed to exchange rates. 


It may well be that (by design or accident) some of the cash 
flows cancel each other out. Mapping risk is a way to recognize 
important netting and diversification effects and to put in place 
a plan for increasing these effects in future years. 


A firm may also be exposed to risks that it will need to insure 
against (e.g., the risk of natural catastrophes, physical mishaps, 
and cyber incidents). Risk mapping should not ignore risks that 
are difficult to track in terms of exposure and cashflow. For 
example, a new business line might attract large, difficult to 
quantify data privacy risks as well as foreign exchange exposures. 


2.4 STRATEGY SELECTION: ACCEPT, 
AVOID, MITIGATE, TRANSFER 


Once a risk manager understands the firm's risk appetite and 
has mapped its key risks, then he or she can decide how to best 
handle each risk. 


First, risk managers must define the most important risk expo- 
sures and make some basic prioritization decisions. Which risks 
are most severe and most urgent? 


Second, the firm needs to assess the costs and benefits of the 
various risk management strategies. 


e Retain: Firms will want to accept some risks in their entirety, 
or to accept part of a loss distribution. Note that retained risks 
are not necessarily small. For example, a gold mining com- 
pany may choose to retain gold price risk because its investors 
desire such an exposure. Alternatively, an input price risk that 
expresses itself as expected loss can be retained and priced 
into the product. A key part of risk management is making 
carefully considered decisions to retain risk. 


e Avoid: Firms may want to avoid the types of risk that they 
\" 


to their business. Some risks can only 
be avoided by stopping a business activity. Firms sometimes 


regard as “unnatura 
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say they have “zero tolerance” for certain kinds of risk or 
risky behavior. But unless the right safeguards are in place, 
this sentiment may be more hopeful than descriptive. 


e Mitigate: Other risks can be mitigated in various ways. Exam- 
ples include a firm asking for additional collateral to mitigate 
a credit risk and an airline investing in more efficient aircraft 
to mitigate its exposure to jet fuel price risk. 


e Transfer: Firms can transfer some portion of their risks to 
third parties. For example, insurance contracts, financial 
derivatives, and securitization offer ways to transfer risks (at a 
financial cost). 


Senior management and the board will be responsible for 
selecting risk management strategies for larger risks. However, 
the risk manager needs to help them choose among the vari- 
ous options. Which strategy allows the firm to stay within its risk 
appetite in the most efficient manner? 


It is rare for the costs of each strategy to be completely trans- 
parent. The cost of transferring the risk, for example, would ide- 
ally include the cost of employing a risk manager and the cost of 
managing any residual risks (e.g., basis risks). 


Meanwhile, a firm that hedges a commodity price might find 
that its competitors gain a short-term advantage from any fall in 
the spot price. Can it really put a number against that potential 
competitive weakness? While numbers are critical, a great deal 
of business judgment is also required. 


Finally, firms may have to conduct this kind of analysis for risks 
that are harder to quantify than market risk—including new 
insurable risks.> For example, firms may need to estimate the 
size of a cyber risk loss through worst-case analysis and expert 
judgment (e.g., a 5% estimated chance of a USD 100 million 
data loss event), and then compare this to the mitigation offered 
by a costly data systems upgrade. That in turn may need to be 
compared to the costs and benefits of transferring part of the 
risk to the fast-evolving cyber insurance market. 


2.5 RIGHTSIZING RISK MANAGEMENT 


Once a firm has an idea of its goals in key risk areas, it needs to 
make sure it has a risk management function that can develop 
and execute the approach (Figure 2.4). One issue is the need to 
rightsize risk management. 


For example, transferring a well-understood risk through a one- 
off market hedge or the purchase of annual insurance can be 


5 For example, see the discussion in M. Crouhy, D. Galai, and R. Mark, 
“Insuring vs Self-Insuring Operational Risk: The Viewpoint of Depositors 
and Shareholders,” Journal of Derivatives 12 (2), 2004, pp. 51-55. 


e Determine the following: 

e Risk appetite/hedging philosophy; 

e Basic goals (e.g., reducing volatility, enhancing 
market-perceived soundness of firm, reducing taxes 
paid, reducing limit breach risk); 

e Accounting treatment (cost center, economic center, or 
profit center); and 

e Risks covered: 

e Risk type (financial risk, operational risk, business 
risk, reputational risk, strategic risk, etc.); and 
e Time horizons 
e Rightsizing the function: 
e Resources, and 
e Budget 
e Set reporting lines/accountability/oversight: 
e Independence 
e Establish policy and procedures (documentation). 
e Evaluate performance: 
e Evaluation methodology, and 
e Incentive compensation 


GAEE] Ensuring the risk management unit is fit 
for purpose. 


(relatively) simple. Running a dynamic and sophisticated hedg- 
ing strategy that involves continual readjustment in the markets 
is another matter entirely. 


Dynamic strategies can offer cost savings, but they require a 
much bigger investment in systems and trader expertise. They 
may require the firm to build complex models and to apply 
sophisticated metrics (e.g., VaR) and a wider-ranging limit system 
(Figure 2.5). It also becomes more important to separate out the 
trading function from the back-office and risk oversight functions. 


Without rightsized teams in place, firms using sophisticated 

risk management instruments and strategies can become too 
dependent on suppliers such as investment banks. For example, 
they may end up without a good way to independently price 

an instrument. At several points during the year, firms need to 
conduct a board-level gap analysis to make sure their level of 
sophistication matches the conservatism of their strategy. 


A firm will also need to make sure the risk management function 
has a clear accounting treatment in terms of whether it operates 
as a cost center or a profit center. Risk management at many 
non-financial firms is regarded a cost center, while some forms 
of risk management in banking adopt a profit center approach. 


Firms also need to decide on a related issue: should the costs 

of risk management be proportionally distributed to the areas 
that risk management serves? The answers to all these questions 
depend on an organization's risk culture and appetite. 
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Limit 


Nature 


Example Weakness 


Stop Loss Limits 


Loss threshold and associated action (e.g., close out, 
escalation) 


Will not prevent future exposure, only limit 
realized losses 


Notional Limits 


Notional size of exposure 


Notional amount may not be strongly related 
to economic risk of derivative instruments, 
especially options. 


Risk Specific Limits 


Limits referencing some special feature of risk in 
question (e.g., liquidity ratios for liquidity risk) 


These limits are difficult to aggregate; may 
require specialized knowledge to interpret. 


Maturity/Gap Limits 


Concentration Limits 


Limit amount of transactions that mature or reset/ 
reprice in each time period 


Limits of concentrations of various kinds (e.g., to 
individual counterparties, or product type) 


These limits reduce the risk that a large volume 
of transactions will need to be dealt with in a 
given time frame, with all the operational and 
liquidity risks this can bring. But they do not 
speak directly to price risk. 


These limits must be set with the understand- 
ing of correlation risks. They may not capture 
correlation risks in stressed markets. 


Greek Limits 


Value-at-Risk (VaR) 


Stress, Sensitivity, 
and Scenario Analysis 


Option positions need to be limited in terms of their 
unique risk characteristics (e.g., delta, gamma, vega risk) 


Aggregate statistical number 


These limits are based on exploring how bad things 
could get in a plausible worst-case scenario. Stress tests 
look at specific stresses. Sensitivity tests look at the 
sensitivity of a position or portfolio to changes in key 
variables. Scenario modeling looks at given real-world 


These limits suffer from all the classic model 
risks and calculation may be compromised at 
trading desk level without the right controls 
and independence. 


VaR suffers from all the classic model risks and 
may be misinterpreted by senior management. 
Specifically, VaR does not indicate how bad a 

loss might get in an unusually stressed market. 


Varies in sophistication. Dependent on deep 
knowledge of the firm’s exposures and market 
behavior. Difficult to be sure that all the bases 
are covered (e.g., there are endless possible 
scenarios). 


scenarios (hypothetical or historical). 


GEM Limits—Example Types. 


2.6 RISK TRANSFER TOOLBOX 


In many cases, the risk manager will decide to transfer a portion 
of a financial risk to the risk management markets. The range 
of instruments available for hedging risk is can be categorized 
(broadly) into swaps, futures, forwards, and options. 


These instruments have different capabilities like the different 
tools in a toolbox (Figure 2.6). 


The use of these instruments requires firms to make key deci- 
sions based on their specific needs. For example, firms must 
decide how much they are willing to pay to preserve flexibility. 
Note that a forward contract provides price stability, but not 
much flexibility (because it requires the transaction to occur at 
the specified time and price). A call option provides both price 
stability and flexibility, but it comes with its own added cost (i.e., 
the option premium). 


Another key difference cuts across instrument types: trading 
mechanics. Is the instrument offered through one of the large 
exchanges, or is it a private bilateral OTC agreement between 
two parties? OTC and exchange-based derivatives have differ- 
ent strengths and weaknesses, particularly relating to liquidity 
and counterparty credit risk. 


Exchange-based derivatives are designed to attract trading 
liquidity. Not all succeed, but most can be traded easily at a 
relatively low transaction cost. The downside of this approach 

is like that of buying an off-the-rack suit: it is difficult for the risk 
manager to find a perfect fit. For example, a commodity risk 
manager may find the available futures contract does not cover 
the exact risk type, has a timing mismatch, or captures the price 
in the wrong location. These mismatches create basis risk. 


More positively, exchange-based derivatives minimize counter- 
party credit exposure through margin requirements and netting 
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Instrument Type 


Defining Features 


Forwards 


It is a tailored agreement to exchange an agreed upon quantity of an asset at a pre-agreed price at some 
future settlement date. The asset may be delivered physically, or the contract may stipulate a cash settlement 
(i.e., the difference between the agreed upon price and some specified spot or current price). 


Futures 


It is an exchange-listed forward with standardized terms, subject to margining. 


Swap 


It is an over-the-counter (OTC) agreement to swap the cash flows (or value) associated with two different 
economic positions until (or at) the maturity of the contract. For example, one side to an interest rate swap 
might agree to pay a fixed interest rate on an agreed upon notional amount for an agreed upon period, while 


the other agrees to pay the variable rate. Swaps take different forms depending on the underlying market. 


Call Option 


The purchaser of a call option has the right, but not the obligation, to buy the underlying asset at an agreed 
upon strike price, either at the maturity date (European option) or at any point during an agreed upon period 
(American option). 


Put Option 


The purchaser of a put option has the right, but not the obligation, to sell the underlying asset at the agreed 


(American option). 


upon strike price at the maturity date (European option) or at any point during an agreed upon period 


Exotic Option 


There are many different options beyond the standard or plain vanilla puts and calls. These include Asian (or 
average price) options and basket options (based on a basket of prices). 


Swaption 


It is the right, but not the obligation, to enter a swap at some future date at pre-agreed terms. 


EMME The risk management toolbox. 


arrangements. Counterparty credit risk in the OTC markets 
often looks rather low until a financial crisis occurs. At that point, 
banks and other counterparties suddenly look fragile. Clearing 
houses have begun to play a bigger role in the OTC market, so 
the distinction between exchange-based and OTC instruments 
in terms of counterparty risk is no longer as clear cut. 


Risk managers can mix and match the various OTC and 
exchange-based instruments to form a huge variety of strate- 
gies. The next few sections look at strategy formulation in three 
key markets: agricultural products, energy, and interest rate/ 
foreign exchange. 


Beer and Metal 


The modern history of risk management arguably began with 
the agricultural futures contracts listed on the Chicago Board of 
Trade (CBOT) in the 1860s. Farmers, as well as food and drink 
producers, manage commodity price risks of many kinds. For 
example, the U.S. brewer Anheuser-Busch has big price expo- 
sures to wheat, barley, hops, corn grits, corn syrup, and other 
agricultural products, as well as to the aluminum it uses for its 
beer cans and the energy it uses in its processes. Like other 
brewers, it is a major user of derivatives to manage these risks 
(Figure 2.7). 


é Anheuser-Busch InBev, 2018 Annual Report, Section C: Commodity 
price risk, page 135. 


Notional Outstanding 
(Dec 31, 2018) 
Commodity Derivative (in USD Millions) 
Aluminum Swaps 1,670 
Exchange-Traded Sugar Futures 62 
Natural Gas and Energy Derivatives 313 
Corn Swaps 196 
Exchange-Traded Wheat Futures 424 
Rice Swaps 194 
Plastic Derivatives 84 


Anheuser-Busch: Selected commodity 
derivatives usage. 


Source: Anheuser-Busch InBev, 2018 Annual Report, Commodity price 
risk, page 135. 


Anheuser-Busch and other big U.S. brewers have various strate- 
gies available to them.” For example, the brewers can manage 
wheat price exposures by fixing the price they pay per bushel of 
wheat using futures contracts (e.g., contracts traded on the 
CBOT). They can then hold these contracts for some months 
until they mature. At that point, the brewers can either take 


7 For an enlightening account of Anheuser-Busch’s strategy see the first 
part of B. Tuckman, “Derivatives: Understanding Their Usefulness and 
Their Role in the Financial Crisis,” Journal of Applied Corporate Finance, 
Volume 28, Number 1, Winter 2016. 
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delivery as specified by the exchange or sell it near the delivery 
date and use the proceeds to purchase from their favored sup- 
plier. Either way, they have largely managed the price risk of 
wheat for that period using a liquid exchange contract. 


For a different commodity, such as the aluminum used in beer 
cans, the same brewer might instead turn to the OTC market 
and enter a swap with a bank. Here, the brewer pays the bank 

a fixed price for a given quantity of aluminum every few weeks 
for the life of the swap. In return, the bank pays the brewer the 
variable market price charged by the brewer's local aluminum 
suppliers. By tailoring an OTC swap, the brewer can manage the 
basis risks that arise from its production requirements (i.e., in 
terms of the precise time it needs the metal and any variability 
in local pricing). 


If the price of aluminum rises, the bank could end up with a heavy 
loss. More likely, the bank will lock in a profit margin by hedging 
its own position using its expertise in the metals markets. Mean- 
while, the brewer is happy because it has fixed an aluminum price 
that might otherwise prove highly volatile and subject to random 
geopolitical factors (e.g., trade disagreements, tariffs, or 
sanctions against key aluminum producing countries).® 


Airline Risk Management: Turbulence 
Ahead 


Airlines are heavily exposed to volatile jet fuel prices, with as 
much as 15-20% of airline operating costs burnt in the air. In 
their fiercely competitive industry, airlines cannot easily raise 
passenger ticket prices in response to spikes in oil prices. This 
is because ticket pricing follows consumer demand rather than 
airline costs. 


As a result, the industry has used a sophisticated combination of 
swaps, call options, collars (i.e., calls and puts), current oil con- 
tracts, and other instruments to manage its price risks since the 
mid-1980s. (The market matured quickly after the 1990-1991 
Gulf War caused a spike in energy prices. Note that many man- 
agement markets are born out of crises.) 


One problem for airlines is that there are few futures contracts 
available for jet fuel. Using widely available exchange instru- 
ments to hedge against the price of crude oil or some other 
oil product (e.g., heating oil) is one way to get around this. 


8 See A. Petroff, “Sanctions Have Sent Aluminium Soaring. That Could 
Hurt Your Wallet,” CNN Money, April 11 2018, see http://money.cnn 
-com/2018/04/1 1/investing/aluminum-prices-sanctions-rusal/index.html. 
The price of the metal is also affected by more fundamental factors such 
as bauxite mining and smelting costs. See C. Harris, “Long-term Metal 
Price Development,” Managing Metals Price Risk, Risk Publications, 
1997, pages 167-187. 


However, this method leaves airlines open to changes in the 
volatile “spread” between the price of jet fuel and the price of 
crude oil. Airlines using this approach therefore need to hedge 
this differential, as well as other basis risks in terms of timing 
and location. As an alternative, many firms use OTC instruments 
to tailor their hedging to jet fuel prices and to their specific 
delivery requirements. 


Despite decades of jet fuel hedging, there is still industry dis- 
agreement about whether airlines ought to be hedging at all. 
Most airlines hedge some of their price risk, but some prefer to 
retain it all. 


The naysayers cite the expense of hedging programs, as well 

as the risk hedging will lock in jet fuel prices at a high point in 
the market just before a steep price fall. This might not seem so 
bad. Few airlines are 100% hedged so a price fall is always good 
news. However, it can lead to severe hedging losses and make 
the profitability of the hedged airline look poor compared to its 
unhedged competitors. 


Unhedged American Airlines reported a bumper year for 2014 
because it could take full advantage of a 40%-50% fall in the 
price of jet fuel. American, unlike its hedged competitors,” 
ended up saving USD 600 million. With oil prices staying low in 
the years after 2014, many of American Airlines’ competitors 
began cutting back on their hedging operations. 


But remaining unhedged is also a bet. Back in 2008, oil had 
reached unexpected highs even as the world was enveloped in a 
financial crisis. That year, the airlines with the tightest hedging 


programs were the ones that looked clever.'° 


Airlines can try to get around this conundrum by hedging only 

a portion of their jet fuel costs, using options, or entering long 
forward contracts on jet fuel. But options-based strategies, while 
arguably the purest form of risk management, can be expensive 
to put in place. 


Might vertical integration help? Delta Air Lines, one of the 
world’s largest airlines, bought its own oil refinery in 2012 as 
part of its fuel management strategy. Over the years, the invest- 
ment has allowed the airline to manage jet fuel availability in a 
key region while helping to cover the spread between jet fuel 
costs and the cost of crude oil. 


? H. Martin, “American Airlines’ Fuel-Buying Bet Pays Off in Record 
Profit,” Los Angeles Times, January 28, 2015; see http://www.latimes 
.com/business/la-fi-airlines-fuel-hedging-20150128-story.html 


10 For an accessible overview of airline hedging ups and downs, 
see H. Gosai, Part Two: Fuel Hedging in the Airline Indus- 

try, September 2017: https://airlinegeeks.com/2017/09/18/ 
part-two-fuel-hedging-in-the-airline-industry/ 
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BOX 2.4 MCDONALD'S FINANCING AND MARKET RISK—FORM 10-K EXCERPTS 


“The Company generally borrows on a long-term basis and 

is exposed to the impact of interest rate changes and foreign 
currency fluctuations. Debt obligations at December 31, 2017 
totalled USD 29.5 billion, compared with USD 26.0 billion at 
December 31, 2016.... 


The Company uses major capital markets, bank financ- 

ings and derivatives to meet its financing requirements and 
reduce interest expense. The Company manages its debt 
portfolio in response to changes in interest rates and foreign 
currency rates by periodically retiring, redeeming and repur- 
chasing debt, terminating swaps and using derivatives. The 
Company does not hold or issue derivatives for trading pur- 
poses. All swaps are over-the-counter instruments. 


In managing the impact of interest rate changes and for- 
eign currency fluctuations, the Company uses interest rate 


However, the refinery industry has its own ups and downs, which 
could be a potential distraction for Delta. Furthermore, owning 
a refinery arguably increases the airline’s exposure to crude oil 
price volatility."' After all, most of a refinery’s output is not jet 
fuel. In airline risk management, as in life, there are no easy 
answers. 


Interest Rate Risk and Foreign Exchange 
Risk Management 


Interest rate and foreign currency risks are critical areas of price 
risk management for many firms. Box 2.4 presents excerpts from 
McDonald's 2017 Form 10-K (i.e., its annual report) that help 
explain why this is so. As a global business with a presence in 
over 100 countries, the fast food operator and franchiser has an 
active risk management function. 


While individual transactions can be important, large firms like 
McDonald’s have many financial exposures that balance and 


11 The refinery, situated on the East Coast of the United States, has 

had some good and some less good years in terms of profitability, 

but has given Delta some leverage on jet fuel prices and more gener- 
ally the “crack spread” in the region. See A. Levine-Weinberg, “Delta 
Air Lines’ Refinery Bet is About to Pay Off Again,” The Motley Fool, 
September 2017: https://www.fool.com/investing/2017/09/03/delta- 
air-lines-refinery-bet-is-about-to-pay-off-a.aspx; J. Renshaw, “Exclusive: 
Delta Hires Consultant to Study Refinery Options—Sources,” March 14, 
2017: https://www.reuters.com/article/us-delta-air-refineries-monroe/ 
exclusive-delta-hires-consultant-to-study-refinery-options-sources-idUSK- 
BN16L24H; A. M. Almansur et al., “Hedging Gone Wild: Was Delta Air- 
lines’ Purchase of Trainer Refinery a Sound Risk Management Strategy?” 
October 4, 2016. This final reference includes a review of the literature 
on the value of hedging price risk, see pages 4-7. 


swaps and finances in the currencies in which assets are 
denominated. The Company uses foreign currency debt 
and derivatives to hedge the foreign currency risk associ- 
ated with certain royalties, intercompany financings and 
long-term investments in foreign subsidiaries and affiliates. 
This reduces the impact of fluctuating foreign currencies on 
cash flows and shareholders’ equity. Total foreign currency- 
denominated debt was USD 12.4 billion and USD 8.9 bil- 
lion for the years ended December 31, 2017 and 2016, 
respectively. In addition, where practical, the Company's 
restaurants purchase goods and services in local currencies 
resulting in natural hedges.” 


Source: Excerpts are from McDonald's Corporation, Form 
10-K annual report for the fiscal year ended December 31, 
2017, pages 26-27. 


offset each other. In fact, the business activities of a large firm 
often create natural hedges (e.g., the inflows and outflows of 
foreign currency).'2 


Moreover, the relationship between interest rates and foreign 
exchange rates is itself important. For example, should a firm 
raise money in the same currency as its overseas operations to 
minimize its exposure to foreign exchange risk? This may not be 
a practical option in some markets. 


For many firms, interest rate risk is a major concern. Their funda- 
mental task is to avoid taking on too much debt at high interest 
rates and avoid overexposure to variable rates of interest. This 
balancing act is determined by: 


e Each firm's financial risk appetite, which may set out the lev- 
els of debt the board is happy with, and 


e The proportion of fixed interest to variable interest, (perhaps 
across several time horizons). 


A firm’s financial risk appetite needs to be congruent with its 
target credit rating and any covenants it has made to banks and 
other financing providers. 


Even if the firm's risk appetite remains stable, the rest of its risk 
management environment is constantly changing (Figure 2.8). 
These changes will come as the debt portfolio matures, business 
financing needs evolve, as well as when regulations and taxes 


12 There is reason to think that many firms use derivatives only to fine- 
tune their risk profile, with much of the risk management already accom- 
plished through business decisions and natural hedges. See discussion 
in W. Guay and S. P. Kothari, “How Much Do Firms Hedge with Deriva- 
tives,” March 2002, p. 3; paper: http://www1.american.edu/academic 
.depts/ksb/finance_realestate/mrobe/Library/howmuch.pdf 
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Firm Risk Appetite 


The firm's risk appetite sets the key goals. 


Market Practicalities 


It may be easier to raise money in one marketplace and then shift risk charac- 
teristics (currency, fixed versus. variable, etc.) into another using derivatives. 


Changing Business and Financing Needs 


Basic Aims: Cost Center versus Profit Center 


Deals roll over, and businesses grow. 


The treasurer may be permitted to take a view on the market direction. 


Regulations and Taxes 


Market Direction and Behavior 


The treasurer may need to respond to changes in the regulations and taxes. 


The treasurer may need to prepare for rising interest rates or respond to yield 
curve behavior. 


GEM] What drives interest rate risk management—examples of factors. 


change. More urgently, interest rates change and so do the rela- 
tionships between rates across a range of maturities (i.e., yield 
curve risk). 


Changes in interest rates are linked to the broader economy and 
consumer demand. They may affect the fundamental health of 

a business, including its ability to meet debt obligations. On the 
upside, the falling cost of servicing variable rate debt can offer an 
important natural hedge in a deteriorating business environment. 


Treasurers meet this complex challenge by using a variety of 
instruments, such as OTC interest rate swaps and currency 
swaps. When formulating specific strategies, the risk manager 
should return repeatedly to the firm’s risk appetite and their 
directive. Often, that directive is to create a more stable version 
of the future around which the firm can plan. 


2.7 WHAT CAN GO WRONG IN 
CORPORATE HEDGING? 


The answer to this question: everything! A firm can misunder- 
stand the type of risk to which it is exposed, map or measure 
the risk incorrectly, fail to notice changes in the market struc- 
ture, or suffer from a rogue trader on its team. Figure 2.9 sets 
out some simple tips that might have prevented many corporate 
risk management disasters. 


One cause of a mishap is to create a “risk management” pro- 
gram that is not really intended to manage risk. For example, it 
may seem legitimate for the firm to use risk management instru- 
ments to lower the amount of interest that it pays. Swaps and 
other derivatives can be used to attempt to reduce the amount 
of interest paid, but in exchange the hedger may be forced 
take on much more downside risk, or to alter the structure of 
the interest paid to minimize payments in the short-term in 
exchange for ballooning payments in the future. 


This kind of program is often more about artificially enhancing 
returns to meet analyst forecasts, or covering up fundamental 


Tips 


Set out clear goals. 


Keep instruments and strategies simple. 


Disclose the strategy and explain ramifications. 


Set resources and limits suitable for the strategy. 


Stress test and set up early warning indicators. 


Watch for counterparty and break clause risk. 


Consider the ramifications of many different market 
scenarios, for example, margin calls. 


GEX] Simple tips for conservative end users. 


business problems, than it is about true risk management. At 
worst, the program might be characterized by unnecessarily 
complex derivative structures, leverage, or strategies that turn 
sour after some superficially unlikely but entirely plausible event 
(such as an unexpected shift in interest rates or a rise in basis 
risk). This is not really a failure of risk management, but of cor- 
porate governance. 


A purer cause of failure is poor communication about the risk 
management strategy and its potential consequences. The clas- 
sic example of this is perhaps the implosion of the MGRM (MG 
Refining and Marketing) hedging program in 1993. 


MGRM, the energy trading US subsidiary of Metallgesellschaft 
AG, had promised to supply end users with 150 million bar- 
rels of gasoline and heating oil over ten years at fixed prices. It 
hedged this long-term price risk with a supersized rolling pro- 
gram of short-dated futures and OTC swaps. 


The hedging strategy might well have worked if it had been 
pursued to the end. However, changes in the underlying oil 
market (i.e., a fall in cash prices and a shift in the price curve 
from backwardation to contango) meant that the program gen- 
erated huge margin calls that became a severe and unexpected 
cash drain. 
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As a result, MGRM's startled parent company liquidated the 
hedges at a considerable loss. What happened next is that the 
market reversed and moved against the now unhedged MGRM, 
resulting in even greater losses on its original customer commit- 
ments. Essentially, MGRM lost twice: 


e First, when it unwound the hedges at a loss due to the cash 
drain from the margin calls, and 


e Second, when the market moved against the original con- 
tracts (which were by then unhedged). 


In this case, no rogue traders were involved. Instead, MGRM 
remains a lesson in the importance of thinking through the 
possible consequences of hedging programs and communicat- 
ing the ramifications to stakeholders. If MGRM's management 
had anticipated the potential liquidity impact of hedging with 
futures, they could have set aside enough capital to meet the 
margin calls and maintain the hedge. Or maybe they might have 
decided to hedge differently in a way that did not create so 
much liquidity risk from collateral calls. 


Of course, the world never hears about the hedges that go 
right. Or about the firms that would have gone bust if they had 
not put a well-managed, well communicated hedging program 


Do you think derivatives end-user activity (hedging, 
trading) in the industry will increase, decrease, or 
stay the same over the next three to five years? 


Hilncrease W Stay the same El Decrease 


AMCA] Professionals believe derivatives 
end-user activity will increase. 
Source: ISDA, Future of Derivatives Survey, April 2018, page 4; survey 


conducted February-March 2018; respondents comprised 43% buy-side 
firms (financial and non-financial firms). Reprinted by permission. 


into place. There's a reason most professionals believe end-user 
activity will continue to increase in the derivatives markets in the 
years ahead (Figure 2.10). 


SUMMARY 


This chapter has set out a logical way to think through the cor- 
porate risk management process. But there are no silver bullets 
and no easy answers. 


Firms must understand their business exposure and their nat- 
ural hedges. They must think through and justify their hedg- 
ing philosophy. They must set out their risk appetite, and link 
this to specific goals as well as to practical levers (e.g., risk 
limit frameworks and a rightsized risk management function). 
They must communicate about risk goals and hedging strate- 
gies so that consequences are well understood, and expecta- 
tions are managed. 


Finally, they must do something less tangible: build the right risk 
culture in which everyone works together to the same end. Risk 
culture can be assessed. Important questions to ask include the 
following. 


e Can the firm show it regularly communicates about risk and 
responds to warning signs and near misses? 


e Has it tested whether key staff have a common understand- 
ing of the firm's risk appetite? 


e Can it demonstrate that its board has an awareness of the 
firm's top ten risks?13 


All this is important for firms, but it is also important for those at 
the coalface of risk management. A risk manager that attains a 
pre-agreed risk management goal (e.g., stabilizing a volatile busi- 
ness exposure over a three-year time horizon) has done a difficult 
job. That risk manager deserves to know that his or her success 
is part of a bigger strategic plan that has already been communi- 
cated to stakeholders and is supported by the whole firm. 


13 For further discussion see S. Heiligtag, A. Schlosser, and U. Stegemann., 
“Enterprise-risk-management practices: Where’s the Evidence? A survey 
across two European industries,” McKinsey Working Papers on Risk, 
Number 53, February 2014, Exhibit 6. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


2.1 


2.2 


2.3 


2.4 


2.5 


2.6 


2.7 


2.8 


2.9 


2.10 


2.11 


2.12 


What are the key risk management components that need 
to be re-evaluated on a regular basis for designating a risk 
management road map? 


Provide several examples to demonstrate that the C-suite 
supports a strong risk culture. 


Describe what is meant by risk appetite in practical 
terms. 


Provide examples of what factors drive interest rate risk 
management. 


Provide examples of hedging tips for conservative end 
users. 


Describe why modern firms make such a big deal of finan- 
cial risk management? 


Provide examples of commodity derivatives that a brewery 
might use to manage their risk. 


Risk appetite includes asking “Who are we?” and “Who 
do our stakeholders think we are?" well before trying to 
operationalize a risk appetite. 

A. True 

B. False 


The MGRM (MG Refining & Marketing) hedging program 
in 1993 is a classic example of good communication 
about the risk management strategy and its potential 
consequences. 

A. True 

B. False 


A firm can find a complicated tailored instrument that 
always dampens their exposure to a variable interest rate. 
A. True 

B. False 


Airlines are heavily exposed to volatile jet fuel prices, with 
as much as 45-60% of airline operating costs burnt in the 
air. 

A. True 

B. False 


MGRM'’s hedging strategy might well have worked if it 
had been pursued to the end. 

A. True 

B. False 


2.13 


2.14 


2.15 


2.16 


2.17 


2.18 


2.19 


2.20 


Airlines have used a sophisticated combination of swaps, 
call options, collars (calls and puts), futures contracts, and 
other instruments to manage their price risks since around 
the mid-1980s. 

A. True 

B. False 


MGRM was exposed to a shift in the price curve from 
backwardation to contango, which meant that the pro- 
gram generated huge margin calls that became a severe 
and unexpected cash drain. 

A. True 

B. False 


There is an agreement among experts that all airlines 
ought to be hedging their jet fuel price risk. 

A. True 

B. False 


If a risk exists then the firm should always hedge it. 
A. True 
B. False 


McDonalds uses major capital markets, bank financings, 
and derivatives to meet its financing requirements and 
reduce interest expense. 

A. True 

B. False 


Risk appetite refers to the total amount of risk 

A. the firm could bear without becoming insolvent. 

B. the firm is taking today. 

C. the amount that it would be happy to bear at any one 
time. 

D. none of the above. 


Risk capacity refers to the total amount of risk 

A. the firm could bear without becoming insolvent. 

B. the firm is taking today. 

C. the amount that it would be happy to bear at any 
one time. 

D. none of the above. 


Transferring risk to a third party includes 
A. insurance contracts. 

B. financial derivatives. 

C. all of the above. 

D. none of the above. 
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2.21 Exchange-based derivatives are designed to 
A. be traded easily at a relatively low transaction cost. 
B. bea perfect fit hedge. 
C. avoid basis risk. 
D. reduce counterparty credit risk. 


2.22 Minimizing counterparty credit exposure can be obtained 
through the use of 
A. margin requirements. 
B. netting arrangements. 
C. all of the above. 
D. it cannot be minimized at all. 


2.23 The agricultural futures contracts first listed on the 
Chicago Board of Trade (CBOT) in the 
A. 1860s. 
B. 1920s. 
C. 1940s. 
D. after the 1950s. 


2.24 Do equity investors want managers to hedge risk? 
A. Generally yes, if the investor has concentrated their 
investment in a particular firm 
B. Always yes 


2.25 Brewers can fix the price they pay per bushel of wheat 
to manage wheat price exposures by buying futures con- 
tracts and 
A. holding these futures contracts until they mature and 

take delivery specified by the exchange in terms of 
quality and location. 

B. selling these futures contracts near the delivery date 
and using the proceeds to purchase the wheat now 
from their favored supplier. 

C. All of the above 


2.26 Once the firm/bank makes a risk appetite statement 
A. it is committed to follow it for at least three years. 
B. it must report it in their annual financial report. 
C. the board must approve it. 
D. all of the above. 
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ANSWERS 


2.1 


2.2 


2.3 


Re-evaluate regularly changes in: 

e Risk appetite/risk understandings/stakeholder 
viewpoint, 

e Business activity and risk environment (remapping), and 

e New tools, tactics, cost/benefit analysis. 

The C-Suite can demonstrate it has a strong risk culture 

through: 

e Regularly communicating about risk, 

e Responding in a timely manner to warning signs and 
near misses, 

e Periodically testing whether there is a common under- 
standing of the firm’s risk appetite, 

e Demonstrating that it has an awareness of the firm's 
top ten risks, and 

e Communicating that the success of the risk manager s 
is part of a bigger strategic plan. 

First, it is a statement about the firm’s willingness to take 

risk in pursuit of its business goals. Second, it is the sum 

of the mechanisms that link this top-level statement to the 

firm's day-to-day risk management operations. It assesses 

the risk exposures the firm is willing to assume in relations 

to the expected returns from engaging in risky activities. 


2.4 
Firm Risk Appetite 


The firm's risk appetite sets 
the key goals. 


Market Practicalities 


It may be easier to raise money 
in one marketplace and then 
shift the risk characteristics (cur- 
rency, fixed versus variable etc.) 
in another using derivatives. 


Changing Business 
and Financing Needs 


Meanwhile, deals roll over, 
businesses grow. 


Basic Aims: Cost 
Center versus Profit 
Center 


The treasurer may be permit- 
ted to take a view on the mar- 
ket direction. 


Regulations and 
Taxes 


Market Direction and 
Behavior 


The treasurer may need to 
respond to change in the 
rules of the game. 


The treasurer may need to 
prepare for rising interest 
rates or respond to yield 
curve behavior. 


2.5 


2.6 


2.7 


2.8 
2.9 
2.10 


2:11 


2.12 
2.13 
2.14 


Tips include 


e Setting clear goals, 


e Keeping instruments simple, 
e Keeping strategies simple, 


e Disclosing the strategy, 
e Explaining ramifications, 


e Setting resources and limits suitable for the strategy, 


e Stress testing, and 
e Setting early warning indicators. 


The answer lies in two aspects of risk management. First, 
the need to manage financial risk grew significantly from 
the 1970s on because commodity, interest rate, and 
foreign exchange markets liberalized, and price volatil- 
ity shot up. Second, growth in market volatility helped 
spawn a fast-evolving market in financial risk manage- 
ment instruments through the 1980s and 1990s, giving 
more opportunities to manage their risk adjusted returns. 
Globalization of companies and of trading introduced 
additional financial risk exposures. 


These commodity derivatives might include 


e Aluminum swaps, 


e Natural gas and energy derivatives, 


e Exchange-traded wheat futures, 


e Exchange-traded sugar futures, 


e Corn swaps, and 


e Rice swaps. 


True 

False 

False, because only true if interest rates stay within 
certain bounds. If interest rates later break through a 
given ceiling, then the firm's financial exposure might 
increase. 

False, because only 15-20% of airline operating costs are 
burnt in the air. 

True 

True 

True 
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2.15 


2.16 
2.17 
2.18 


2.19 


False, most airlines hedge some of their price risk, 

but some prefer to retain it all. The naysayers cite the 
expense of hedging programs and fear that they will lock 
in jet fuel prices at a high point in the market, just before 
a steep price fall. 


False 
True 


C. the amount that it would be happy to bear at any 
one time 


A. the firm could bear without becoming insolvent 


2.20 C. all of the above. 

2.21 D. reduce counterparty credit risk 
2.22 C. all of the above 

2.23 A. 1860s 


2.24 Generally yes. Potentially no in the case where the 
investor holds the investment as part of a diversified 
portfolio. 


2.25 C. all of the above 
2.26 The board must approve it. 
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The Governance 
of Risk Management 


E Learning Objectives 


After completing this reading you should be able to: 


® Explain changes in regulations and corporate risk 
governance that occurred as a result of the 2007-2009 
financial crisis. 


® Describe best practices for the governance of a firm’s risk 
management processes. 


® Explain the risk management role and responsibilities of a 
firm's board of directors. 


® Evaluate the relationship between a firm’s risk appetite 
and its business strategy, including the role of incentives. 


® Illustrate the interdependence of functional units within a 
firm as it relates to risk management. 


® Assess the role and responsibilities of a firm's audit 
committee. 
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Corporate governance is the way in which companies are run.! It 
describes the roles and responsibilities of a firm's shareholders, 
board of directors, and senior management. 


Corporate governance, along with its relationship to risk, has 
become a major issue in the banking industry. This chapter 
traces the development of risk governance (i.e., how firms 
undertake and oversee risk management) over the past two 
decades. It describes how risk governance morphed from a 
vague principle into a well-defined set of best practices and 
became a central tenet of modern banking regulation. 


The ascendance of risk governance is closely linked to a series 
of high-profile corporate scandals that occurred in the first 
decade of the twenty-first century. The first wave of these 
failures included the bankruptcies of Enron in 2001, WorldCom 
and Global Crossing in 2002, and Parmalat SpA in late 2003. In 
these cases, corporate failure was precipitated by financial or 
accounting fraud. 


While this fraud was perpetrated primarily by executives, it is 
important to note that their actions were seemingly unchecked 
by the firms’ auditors and boards of directors. Specifically, 
boards and shareholders were not informed of the economic 
risks undertaken by corporate management. This lack of com- 
munication reflected a fundamental breakdown in corporate 
disclosure and accountability. Financially engineered products 
(e.g., derivatives) were often involved and were used at times to 
disguise the severity of the failing firms’ financial positions. 


These scandals, and the faulty corporate governance that 
allowed them to occur, led to regulatory reforms designed to 
enhance the governance of public firms, increase transparency 
and executive accountability, and improve financial controls and 
oversight. In the United States, these changes took the form of 
federal legislation: the Sarbanes-Oxley Act? (SOX). This law laid 
the foundation for federally enforced corporate governance 
rules based on stricter securities regulation. The law was passed 
in 2002 and the new standards were put into effect the 
following year, with the Securities and Exchange Commission 
requiring US-based securities exchanges and associations to 
make sure that their listing standards conformed to the new 
mandated standards set forth by SOX.? In addition to 
governance, these rules also had significant implications for risk 
management. 


1 Report of the Committee on the Financial Aspects of Corporate 
Governance (1992), http://cadbury.cjbs.archios.info/report. 


2 The Sarbanes-Oxley Act - Pub. L. 107-204, 116 Stat. 745. 


3 The final rule on standards for Listed Companies Audit Commit- 
tees was put into effect in April of 2003, with exchanges required to 
have their own internal rules for compliance approved by the SEC by 
December 1, 2003. 


Europe refrained from a legislative approach. Instead, European 
regulators pursued a voluntary reform of corporate codes and 

a regime of “comply-or-explain” for departures from these 
codes. These reforms focused on internal controls, governance 
mechanisms, and financial disclosure and did not directly 
address risk management. 


The 2007-2009 global financial crisis was directly tied to risk 
management failures. The crisis itself was triggered by the 
downward turn in a previously “hot” housing market, which 
was fueled by an all-too-easy mortgage market and acceler- 
ated by a booming market for privately issued mortgage- 
backed securities that were traded by leading financial 
institutions.’ During this time, lenders engaged in unsound 
practices by extending mortgages to unqualified individuals 
and encouraging homeowners to take on more debt than they 
could handle. Investment banks securitized these loans into 
complex asset-backed securities, which found their way into 
the mainstream credit market. The financial institutions respon- 
sible for originating and trading these structured instruments, 
as well as the rating agencies that assigned them credit 
ratings, failed to accurately appraise their value and risk. 


As the number of mortgage defaults climbed, the system unrav- 
eled and several major investment banks holding low-quality 
assets to use as collateral for privately issued mortgage-backed 
securities found themselves on the verge of collapse. As the 
crisis unfolded, it became apparent that the problems encoun- 
tered in the mortgage market extended far beyond homeowner 
lending. During the boom years preceding the crisis, risk man- 
agement at many financial institutions was marginalized as 
executive management threw caution to the wind in pursuit 

of greater returns. The decline in underwriting standards, the 
breakdown in oversight, and a reliance on complex credit instru- 
ments came to characterize the credit markets. This eventually 
led to the failure of numerous financial institutions. Although 
originating in the United States, the crisis affected banking and 
economic activity all around the world. It was systemic in nature 
and global in scope. 


The events of 2007-2009 underscored the inadequacy of the 
corporate governance regulation adopted earlier in the decade. 


4 Mortgage-backed securities are issued by Ginnie Mae (a government 
agency), Fannie Mae and Freddie Mac (which at the time were Govern- 
ment Sponsored Enterprises), and private issuers such as banks and 
other financial institutions. Mortgage-backed securities issued by private 
issuers are not backed by any government entity. These mortgage- 
backed securities are also called non-agency mortgage-backed 
securities. Privately issued mortgage-backed securities were (at the 
time) backed by collateral that included loans to high grade borrowers 
(called prime borrowers) and those to borrowers with a blemished credit 
history (called subprime borrowers). It is the subprime mortgage-backed 
securities that caused the most problems in the mortgage market. 
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BOX 3.1 SARBANES-OXLEY (SOX) 


SOX came into effect on July 30, 2003, creating stricter legal 
requirements for boards, senior management, as well as both 
external and internal auditors. 


Some of the important aspects of SOX are re 


e Chief executive officers (CEOs) and chief financial officers 


fraudulent activities related to individuals who have a 
material role in the control systems, to external auditors, 
the internal audit function, and the firm's audit committee. 


The effectiveness of a firm’s reporting procedures and 
controls must be reviewed annually. 


(CFOs) must ensure that reports filed with the SEC are e The names of individuals who serve on the board audit 


accurate for publicly traded firms.° This includes certifying 


committee are to be disclosed. 


that “[such reports do] not contain any untrue statement 


of a material fact or omit to state a material fact. 


e CEOs and CFOs must affirm that disclosures provide a 
complete and accurate presentation of their company's 


ub These individuals are expected to: 
e Understand accounting principles, 


e Be able to comprehend financial statements, and 


financial conditions and operations. 


e CEOs and CFOs are also responsible for internal controls, 


e Have experience with internal audits and understand 
the functions of the audit committee. 


including their design and maintenance. 


e Furthermore, firm officers are required to disclose any 
significant deficiencies in internal controls, as well as any 


a Such reports are filed quarterly and annually. 


b The Sarbanes-Oxley Act - Pub. L. 107-204, 116 Stat. 745, section 302. 


LEER Key Post Crisis Corporate Governance Concerns—The Banking Industry 


Stakeholder Priority 


Enquiries into the 2007-2009 financial crisis found that often little attention was paid to controlling tail 
risks and considering truly worst-case outcomes. This has led to a debate about the uniquely compli- 
cated set of stakeholders in banking and the potential impact on corporate governance. 


In addition to equity, banks have large amounts of deposits, debt, and implicit government guar- 
antees. Depositors, debtholders, and taxpayers have a much stronger interest in minimizing the 
risk of bank failure than do most shareholders, who often seem to press for short-term results. 
Shareholder empowerment, the usual remedy to corporate governance ills, may therefore be an 
inadequate solution for the banking industry's woes. 


Board Composition 


The crisis reignited a longstanding debate as to how to ensure bank boards can achieve the appropri- 
ate balance of independence, engagement, and financial industry expertise. Analyses of failed banks 
do not show any clear correlation between success and a predominance of either insiders or outsiders. 
One can note, however, that failed bank Northern Rock had several banking experts on its board. 


Board Risk Oversight 


The importance of boards being proactive in risk oversight became increasingly recognized following the 
crisis. This has led to a focus on educating boards about risk and making sure they maintain a direct link 
to the risk management infrastructure (e.g., by giving CROs direct reporting responsibilities to the board). 


Risk Appetite 


Regulators have pushed banks to articulate a formal, board-approved risk appetite that defines a 
firm's willingness to undertake risk and tolerate threats to solvency. This can be translated into an 
enterprise-wide setting of risk limits. Engaging the board in the limit-setting process helps to make 
sure it thinks clearly about risk-taking and its implications for day-to-day decision-making. 


Compensation 


One of a board's key levers in determining risk behavior is its control over compensation schemes. 
Boards have a duty to examine how pay structures might affect risk-taking and whether risk-adjust- 
ment mechanisms capture all key long-term risks. Some banks have started instituting reforms, such as 
limiting the scope of bonuses in compensation packages, as well as introducing deferred bonus pay- 
ments and clawback provisions. 


Neither the regulation of Sarbanes-Oxley nor the principle-based 
light touch approach in Europe were able to avert the crisis in 
the banking and securities industries. Nonetheless, many saw the 
absence of executive accountability and the failure of internal 
corporate oversight as significant contributors to the crisis and 
the ensuing loss of confidence in the banking system. The debate 


on corporate governance continued in the aftermath of the crisis. 
Table 3.1 summarizes some of the key issues in this debate. 


5 See discussion in H. Mehran, A. Morrison, and J. Shapiro “Corporate 
Governance and Banks: What Have We Learned from the Financial Crisis?” 
Federal Reserve Bank of New York, Staff Report No. 502, June 2011. 
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3.1 THE POST-CRISIS REGULATORY 
RESPONSE 


The concerns regarding risk governance in the banking indus- 
try, summarized in the previous table, were and continue to be 
addressed in post-crisis financial regulation. The Basel Commit- 
tee on Banking Supervision (BCBS), an organization comprised 
of the central banks and bank supervisors from 27 jurisdictions, 
focuses on formalizing international standards for prudential 
banking regulation. The standards set by the BCBS are not 
legally binding, but they are incorporated voluntarily in the 
regulatory systems of members and other jurisdictions. 


The 1988 Basel Accord (Basel |) focused on devising a uniform 
method for setting capital adequacy standards in the wake 

of the Latin American debt crisis earlier that decade. Focus- 
ing primarily on credit risk, Basel | introduced a risk-weighted 
approach to capital requirements, setting the prescribed mini- 
mum capital at 8% of a firm’s risk-weighted assets. 


In 1999, the BCBS began work on a revised capital adequacy 
framework designed to supersede Basel |. This initiative, called 
the Basel II framework, was finalized in 2006 and incorporates a 
bank's trading activity alongside its lending activity in the calcu- 
lation of risk. The 8% minimum remained, but the risk-weighting 
methodology was refined. This made Basel I] more risk-sensitive 
and better attuned to financial innovation compared to its pre- 
decessor. Basel II also introduced standards for supervisory bank 
reviews as well as disclosure requirements to reinforce market 
discipline through transparency. 


Many jurisdictions were in the process of implementing Basel II 
when the global financial crisis unfolded. The Basel Ill Accord 
was a direct response to the crisis and focused on injecting 
greater systemic resiliency in the banking system. Basel III 
focuses on both firm-specific risk and systemic risk (i.e., the risk 
associated with the failure a major financial institution causing 
other interconnected financial institutions to fail, resulting in 
major harm to the economy). 


Most of the reforms being phased in under Basel III continue to 
emphasize capital adequacy issues, such as the coverage 
required from regulatory capital along with its quantity and qual- 
ity. Basel Ill raises capital quality by limiting core Tier 1 capital 
to common equity and retained earnings, which provide loss 
absorption unlike other forms of hybrid debt. Basel III also 
imposes new ratios for short-term and long-term liquidity, such 
as the 30-day Liquidity Coverage Ratio (LCR) and the one-year 
net stable funding ratio (NSFR). In particular, the NSFR should 


6 Tier 1 capital, also called core capital and primary capital, is the sum of 
common stock, retained earnings, and certain reserves. 


help to counter pro-cyclicality because it is designed to ensure 
banks lessen their dependence on wholesale short-term 
funding.” 


The risk-based capital requirements adopted in Basel II have 
been expanded to better address risks emanating from capi- 
tal markets activities. These risks include exposure to central 
counterparties, margins on non-centrally cleared derivatives, 
exposure to counterparty credit risks, and securitization. 


Basel III has also designed a macroprudential overlay intended 
to reduce systemic risk and lessen procyclicality. The macropru- 
dential overlay consists of five elements: 


1. A leverage ratio of 3%, 
2. A countercyclical capital buffer, 


3. Total loss-absorbing capital (TLAC) standards that apply to 
global systemically important banks (G-SIBs), 

4. Systemically important markets and infrastructures (SIMIs); 
in the case of OTC derivatives, the Basel Committee is 
pushing the market to move as many trades as possible 
through centralized clearing and trade reporting, and 


5 


Capturing systemic risk and tail events in risk modeling and 
stress testing. 


The framework for handling market risk was revised in 2016 with 
the Fundamental Review of the Trading Book (FRTB).® Specifi- 
cally, disclosure requirements were enhanced to reflect a more 
comprehensive approach to describing and calculating risk, as 
well as to facilitate comparative risk analysis. 


The BCBS also confronted governance issues exposed by the 
crisis. In October 2010, it issued several principles designed to 
improve corporate governance in the banking industry. These 
principles addressed the duties of the board and the qualifica- 
tion of board members, as well as the importance of an inde- 
pendent risk management function. These principles were 
revised in 2015 with an eye towards reinforcing the board's 
active role in collective oversight and risk governance.'° The 
revised guidance report defines roles of the board and the 
board risk committees, senior management, chief risk officers 
(CROs), and internal auditors. 


7 When this funding evaporates during a credit crisis, it forces banks to 
shed assets at depressed prices to meet liquidity requirements. 


8 Basel Committee for Banking Supervision, Minimum Capital Require- 
ments for Market Risk, January 2016. 


? Basel Committee for Banking Supervision, Principles for Enhancing 
Corporate Governance, October 2010. 


10 Basel Committee for Banking Supervision, Corporate Governance 
Principles for Banks, July 2015. 
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LEERY Corporate Governance Principles for Banks 


{lo 


Board’s Overall 
Responsibilities 


The board has overall responsibility for the bank, including approving and overseeing 
management's implementation of the bank's strategic objectives, governance frame- 
work and corporate culture. 


2 Board Qualifications Board members should be and remain qualified, individually and collectively, 

and Composition for their positions. They should understand their oversight and corporate gover- 
nance role and be able to exercise sound, objective judgment about the affairs of 
the bank. 

3. Board's Own Structure The board should define appropriate governance structures and practices for its own 
and Practices work and put in place the means for such practices to be followed and periodically 

reviewed for ongoing effectiveness. 

4. Senior Management Under the direction and oversight of the board, senior management should carry out 
and manage the bank’s activities in a manner consistent with the business strategy, risk 
appetite, remuneration, and other policies approved by the board. 

55 Governance of Group In a group structure, the board of the parent firm has the overall responsibility for the 

Structures group and for ensuring the establishment and operation of a clear governance frame- 
work appropriate to the structure, business, and risks of the group and its entities. The 
board and senior management should know and understand the bank group's organi- 
zational structure and the risks that it poses. 

6. Risk Management Banks should have an effective independent risk management function, under the 
Function direction of a chief risk officer (CRO), with sufficient stature, independence, resources, 

and access to the board. 

7 Risk Identification, Risks should be identified, monitored, and controlled on an ongoing bank-wide and 
Monitoring, and individual entity basis. The sophistication of the bank's risk management and internal 
Controlling control infrastructure should keep pace with changes to the bank's risk profile, the 

external risk landscape, and to industry practice. 

8. Risk Communication An effective risk governance framework requires robust communication within the bank 
about risk, both across the organization and through reporting to the board and senior 
management. 

2 Compliance The bank’s board of directors is responsible for overseeing the management of the 
bank's compliance risk. The board should establish a compliance function and approve 
the bank’s policies and processes for identifying, assessing, monitoring, reporting, and 
advising on compliance risk. 

10. Internal Audit The internal audit function should provide independent assurance to the board and 
should support the board and senior management in promoting an effective gover- 
nance process and the long-term soundness of the bank. 

Tilo Compensation The bank’s remuneration structure should support sound corporate governance and 
risk management. 

12. Disclosure and The governance of the bank should be adequately transparent to its shareholders, 

Transparency depositors, other relevant stakeholders, and market participants. 

1E} Role of Supervisors Supervisors should provide guidance for and supervise corporate governance at 


banks, including through comprehensive evaluations and regular interaction with 
boards and senior management; should require improvement and remedial action 
as necessary; and should share information on corporate governance with other 
supervisors. 


Source: Basel 


Committee on Banking Supervision, Guidelines: Corporate Governance Principles for Banks, July 2015, 8-40. 
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Corporate governance in banking has been strongly impacted 
by the post-crisis regulatory response. This includes Basel III, but 
also the U.S. Dodd-Frank Act and the European Supervisory 
Review and Evaluation Process (SREP)."" 


After the Crisis: Industry Restructuring 
and the Dodd-Frank Act 


Until 1999, commercial banking in the United States was segre- 
gated from investment banking by law under the Glass-Steagall 
Act. That year, the Graham-Leach-Bliley Act largely abolished 
the restrictions embodied in the Glass-Steagall Act. Specifically, 
it enabled bank holding companies to convert into financial 
services holding companies (FSHCs). As FSHCs could combine 
investment banking, commercial banking, insurance, and 
broker-dealer activities under one corporate umbrella, it was 
intended to encourage the growth of universal banking in the 
United States. '2 


Despite the repeal of Glass-Steagall, however, commercial 

and investment banking remained as two separate industries 
operating under two regulatory paradigms. While U.S. banking 
regulation involves both supervision of business conduct (i.e., 
investor protection) and prudential regulation aimed at ensur- 
ing bank stability, investment banking did not come under the 
purview of bank regulators and was therefore not subject to 
prudential oversight. In addition, investment banking was gen- 
erally regarded as marginal to the stability of the United States 
banking system (until the 2007-2009 crisis proved otherwise). 


The competitive structure of the banking industry was altered 
dramatically during, and as the result of, the crisis. Investment 
giants, including Bear Stearns and Merrill Lynch, were merged 
(under duress) with banking institutions. Lehman Brothers went 
bankrupt. The last two major investment banks, Goldman Sachs 
and Morgan Stanley, were converted into bank holding compa- 
nies (BHCs). This made them subject to the full force of banking 
regulation, but also eligible for the credit extended to banking 
institutions by the Federal Reserve System. 


In July 2010, the Dodd-Frank Act'? was signed into law. The 
Act's 2,300 pages overhauled the regulation of the financial 
industry in the United States, aiming to improve both consumer 
protection and systemic stability. Specifically, it attempted to 
address several issues. 


11 This is new approach to bank supervision for European banks regu- 
lated by the Single Supervisory Mechanism. 


12 A. Saunders and L. Allen, (2010). Credit Risk Measurement In and Out 
of the Financial Crisis: New Approaches to Value at Risk and Other Para- 
digms, Hoboken, N.J.: Wiley, 2010. 


13 Dodd-Frank Wall Street Reform and Consumer Protection Act - Pub.L. 
111-203, H.R. 4173. 


e Strengthening the Fed: The Act extended the regulatory 
reach of the Federal Reserve (i.e., the Fed) in the areas con- 
cerned with systemic risk. All the systemically important 
financial institutions (SIFls), which are defined as bank holding 
firms with more than USD 50 billion'4 of assets, are now reg- 
ulated by the Federal Reserve and the Fed’s mandate now 
includes macroprudential supervision. 


e Ending too-big-to-fail: Dodd-Frank proposed an end 
to “too-big-to-fail” by creating an orderly liquidation 
authority (OLA). 

e Resolution plan: SIFls are required to submit a so-called 
“living will” to the Federal Reserve and the Federal Deposit 
Insurance Corporation (FDIC) that lays out a corporate 
governance structure for resolution planning. 


e Derivatives markets: The Act launched a transparency- 
focused overhaul of derivatives markets regulation with the 
aim of helping market participants with counterparty risk. 


e The Volcker Rule: This rule imposes a prohibition on propri- 
etary trading, as well as the partial or full ownership/part- 
nership of hedge funds and private equity funds by banking 


entities. 1 


e Protecting consumers: The Act created a Consumer Financial 
Protection Bureau (CFPB) to regulate consumer financial 
services and products. 

e Stress testing: The Act instituted a radically new approach 


to scenario analysis and stress testing, with the following 
characteristics: 


e A top-down approach with macroeconomic scenarios 
unfolding over several quarters; 


e A focus on the effects of macroeconomic downturns on 
a series of risk types, including credit risk, liquidity risk, 
market risk, and operational risk; 

e An approach that is computationally demanding, because 
risk drivers are not stationary, as well as realistic, allowing 
for active management of the portfolios; 

e A stress testing framework that is fully incorporated 
into a bank's business, capital, and liquidity planning 
processes; and 

e An approach that not only looks at each bank in isolation, 
but across all institutions. This allows for the collection 
of systemic information showing how a major common 
scenario would affect the largest banks collectively. 


14 In 2018 the U.S. Congress raised this threshold to USD 250 billion. 


15 This provision, originally proposed by the former Chairman of the 
Federal Reserve Paul Volcker, is nicknamed the Volcker Rule and it 
became effective in July 2015. With the proposed 2018 reform of the 
Dodd-Frank Act, the smallest banks (i.e., those with less than USD 

10 billion in assets) would be exempt from the Volcker Rule. 
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The Federal Reserve Board (FRB) conducts two stress testing 
exercises: 


1. The Dodd-Frank Act Stress Test (DFAST) for banks with 
assets above USD 10 billion, and 


2. The Comprehensive Capital Analysis and Review (CCAR) for 
banks with assets above USD 50 billion. 


CCAR is an annual exercise with the three supervisory scenarios 
and two internally generated scenarios (i.e., BHC baseline and BHC 
adverse), BHCs must present a capital plan describing all planned 
actions (e.g., dividend increases, share repurchases, major acquisi- 
tions) over a planning horizon of nine quarters. Banks must have a 
Tier 1 capital ratio of at least 5% throughout the planning period. 
Those that exceed this ratio should revise their risk appetites 
downward. Meanwhile, the Fed’s qualitative assessment of a capi- 
tal plan revolves around the adequacy of the internal processes. 


The European Regulatory Response to 
the GFC: SREP and EBA Stress Tests 


A new approach to bank supervision, called the Supervisory Review 
and Evaluation Process (SREP), is taking hold for banks in Europe. 


The SREP introduces three new principles to banking supervision: 


1. A forward-looking emphasis on the sustainability of each 
bank's business model, including during conditions of stress, 


2. An assessment methodology based on best practices within 
the banking industry, and 


3. An expectation that every bank will ultimately operate 
under the same standards. 


The internal capital adequacy assessment process (ICAAP) 
and the internal liquidity adequacy assessment process 
(ILAAP) are the two key components of SREP. 


1. The ICCAP incorporates scenario analysis and stress testing. 
It outlines how stress testing supports capital planning. 


2. The ILAAP incorporates the potential losses from asset liqui- 
dations and increased funding costs during stressful periods. 


European banks with assets of EUR 30 billion and above 

must run European Banking Authority (EBA) stress tests. 

These stress tests are run at the consolidated banking group 
level (insurance activities are excluded). Two supervisory macro- 
economic scenarios covering a three-year period are provided 
by the regulator: a baseline scenario and an adverse scenario. 


Although the scenarios unfold over a three-year period, the 
approach (contrary to CCAR) is fundamentally static and banks 


16 Under the 2018 reform of the Dodd-Frank Act, it is now mandatory 
only for banks with assets above USD 250 billion. 


are only required to look at the immediate impact of the cumu- 
lative shocks over the three-year period. 


3.2 INFRASTRUCTURE OF RISK 
GOVERNANCE 


This section discusses the infrastructure of risk governance and 
address three critical questions. 


1. Are corporate governance best practices related to best 
practice in risk management, and if so, how? 


2. How is risk management delegated through the organiza- 
tion? What roles do the executive staff and board com- 
mittees undertake in the execution and oversight of risk 
management? 


3. How does risk management policy filter down to business 
managers and how is it reflected in the way regular business 
is conducted? 


These questions seek to outline how corporate risk manage- 
ment should be designed and diffused throughout financial 
institutions. While the focus of this section is on the banking 
industry, the concepts, principles, and protocols articulated 
below are relevant for other corporations as well. 


The Board and Corporate Governance 


One of the key duties of a corporate board of directors is to 
protect the interests of shareholders. Traditionally, the board 
has been cast as the gatekeeper for all shareholders. A grow- 
ing number of analysts, however, argue that the responsibility 
of the board extends beyond shareholders to include all cor- 
porate stakeholders (e.g., debtholders and employees). Given 
the divergent interests of the various stakeholders, managing 
this responsibility is not always an easy task. Debtholders, for 
example, are primarily interested in the extreme downside risk. 
This is because their stake in the firm is most at risk during times 
of distress (i.e., when corporate solvency is on the line). 


The board is also charged with overseeing executive manage- 
ment. Analyzing the risks and returns from corporate activity is 
one of the board’s fundamental duties. If management assumes 
a given risk, the board must understand the type and magnitude 
of the threat posed should that risk come to fruition. 


Addressing conflicts of interest between management and 
shareholders lies at the heart of corporate board oversight. 
Such conflicts are referred to in the financial literature as agency 
problems, and they are often manifested as the unwarranted 
assumption of risk to pursue short-term profits or to enhance 
apparent performance. These activities put the interests of man- 
agement squarely against those of longer-term stakeholders. 


Chapter 3 The Governance of Risk Management E 45 


Conflicts of interest are easily created, rendering agency risk 

a perennial governance challenge. For example, giving execu- 
tives stock options (which take on value only if the firm's shares 
exceed a certain price) can incentivize senior management to 
take actions designed to temporarily boost the firm's share 
price, even if these actions hurt the firm in the long term. 


Even the best-designed executive compensation systems cannot 
fully prevent executives from being tempted to pursue short- 
term results to the detriment of long-term objectives. For this 
reason, the scope and structure of executive compensation has 
become a major concern and measures to strengthen executive 
accountability are gaining traction. 


Ongoing tensions between the interests of CEOs and the inter- 
ests of longer-term stakeholders have become a prominent 
feature of corporate management. Agency risks arising from 
these tensions provide an important rationale for the board’s 
independence from executive management. They also explain 
the recommended best practice of separating the position of 
CEO from that of board chairman. 


The bankruptcy of brokerage firm MF Global in 2011 illustrates 
the perils of agency risk, particularly when the board's indepen- 
dence from executive management is questionable. 


In 2010, MF Global appointed Jon Corzine” as chairman of the 
board and CEO. At the time, the firm was already experiencing 
liquidity and compliance problems. Under Corzine’s leadership, 
and despite repeated warnings by the firm's CRO at the time, '® 
MF Global made huge proprietary investments in European sov- 
ereign debt. These investments soured in 2011, exacerbating 
the firm’s liquidity problems. This led to a loss of shareholder 
and client confidence, and ultimately to the firm's collapse. 
During this time, the firm allegedly misappropriated client 
funds in an attempt to keep the firm solvent. This prompted the 
U.S. Commodity Futures Trading Commission (CFTC) to act 


against Corzine and the firm’s assistant treasurer. 1? 


From Corporate Governance to 
Best-Practice Risk Management 


The experience of the past two decades illustrates how the 
objectives of corporate governance and risk management have 
converged. The 2007-2009 crisis exposed extreme deficiencies in 
risk management and oversight among financial institutions. As a 


17 As a U.S. Senator, Corzine helped draft the Sarbanes-Oxley Act in 2002. 


18 M. Peregrine, "Another View: MF Global's Corporate Governance 
Lesson,” New York Times, December 16, 2011, https://dealbook.nytimes 
.com/2011/12/16/another-view-mf-globals-lesson-in-corporate-governance. 


19 CFTC Press Release 7508-17, January 5, 2017. https://www.cftc.gov/ 
PressRoom/PressReleases/pr7508-17. 


result, post-crisis regulation has raised the bar for risk governance 
with the aim of reining in both financial and agency risks. 


Risk governance involves setting up an organizational infrastruc- 
ture to articulate formal procedures for defining, implementing, 
and overseeing risk management. It is also about transparency 
and establishing channels of communication within the organiza- 
tion as well as with external stakeholders and regulators. 


The mix of the measures adopted, and the degree to which they 
are enshrined in law, varies between jurisdictions. In 2012, the 
World Bank articulated a set of standards for risk governance 
aimed at improving the effectiveness of risk management and 
control, enhancing risk management standards, and promoting 
the competitiveness and sustainability of financial institutions.”° 


The board of directors plays a central role in both the shaping and 
oversight of risk management. Its primary responsibility in risk gov- 
ernance is to assess the fundamental risks and rewards engendered 
in the firm's business strategy. This assessment must be based on 

a clear understanding of the institution's direction and goals. The 
board must proactively participate in strategic planning as well as 
outline the appropriate risk appetite (as discussed in Chapter 2). 


Risk appetite is intimately related to business strategy and capital 
planning. Certain activities may be categorically inappropriate for 
an enterprise given the type of risk involved. The appropriateness 
of other activities may be a function of their scope relative to the 
firm’s total asset value. Business planning must take risk manage- 
ment into consideration from the outset, and the matching of 
strategic objectives to risk appetite must be incorporated into the 
planning process. Equally important is a clear communication of 
risk appetite and risk position throughout the firm. This allows the 
firm to set appropriate limits on its various risk-bearing activities. 


The board is also responsible for oversight and risk transparency. 
It must ascertain whether any major transaction undertaken by 
the firm is consistent with the authorized risk and associated 
business strategies. Similarly, it must ensure that the disclosure 
to managers and relevant stakeholders is both adequate and 
compliant with internal corporate rules and external regulations. 
Given the board's accountability to stakeholders, the board is 
ultimately responsible when risk policy is ignored or violated. 


To fulfill its role in risk governance, the board must assess 
whether the firm has put an effective risk management system in 
place that enables it to further its strategic objectives within the 
confines of its risk appetite. The board must also make sure that 
procedures for identifying, assessing, and handling the various 
types of risk (e.g., business, operational, reputational, market, 
liquidity, compliance, and credit) are in place. While a willful 


20 IFC, Standards in Risk Governance for Financial Institutions, 2012, 
https://www.ifc.org/wps/wem/connect/ce387 e804c9ef58697c4d- 
7481 ee63 1cc/ECACR-RiskGovernanceStandards.pdf?MOD=AJPERES 
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assumption of excessive risk lies at the heart of many corporate 
failures, just as many can be attributed to an inability to identify 
risk or assess it properly in a timely manner. 


The risk management process may seem complex and con- 
founding and boards may find this task difficult to take on. 
However, the strategic principles underlying risk governance are 
simple. Ultimately, only four basic choices need to be made in 
the management of corporate risk: 


1. The choice to undertake or not to undertake certain activities; 


2. The choice to transfer or not transfer either all or part of a 
given risk to a third party (or third parties); such transfers 
can be accomplished via the purchase of insurance policies, 
hedging activities, and so on; 


3. The choice to preemptively mitigate risk through early 
detection and prevention; and 


4. The choice to assume or not assume risk, fully cognizant of 
both the upside and downside implications. 


Risk management must be implemented across the entire 
enterprise?! under a set of unified policies and methodologies. 
(This is called enterprise risk management and is discussed in 
Chapter 8.) The infrastructure of risk management, which includes 
both physical resources and clearly defined operational processes, 
must be up to the task of an enterprise-wide scope. The task of 
assessing the fitness of a risk management system is daunting, but 
doable nonetheless, One way to measure the seriousness of a risk 
management process is to examine the human capital employed 
and the risk managers’ standing within the corporate hierarchy. 


e Is the risk manager considered to be a member of the 
executive staff and can this position lead to other career 
opportunities? 

e How independent is the risk manager? What authority does 
he or she hold? To whom does he or she report? 


e Are risk managers paid well relative to other employees who 
are rewarded for performance (e.g., traders)? 


e To what extent can one characterize the enterprise's ethical 
culture as being strong and resilient against the actions of 
bad actors? Has the firm set clear-cut ethical standards and 
are these standards actively enforced? 


The board must also evaluate the firm's performance metrics 
and compensation strategy. It has the critical responsibility 
of making sure executives are compensated based on their 


21 The OECD's paper on Corporate Governance and the Financial Crisis: 
Conclusions and Emerging Good Practices to Enhance Implementa- 
tion of the Principles, February 2010, p. 4, states that ”. . . an important 
conclusion is that the board's responsibility for defining strategy and 
risk appetite needs to be extended to establishing and overseeing 
enterprise-wide risk management systems”. 


risk-adjusted performance and that the incentives inherent in 
such compensation do not clash with shareholder interests. 


Within the framework of risk governance oversight, the board 
should ensure the information it obtains concerning the imple- 
mentation of risk management is accurate and reliable. Informa- 
tion should be gathered from multiple sources, including the 
CEO, other senior executives, and both internal and external 
auditors. Board members must also arm themselves with addi- 
tional knowledge, because they are required not only to ask 
tough questions but also understand the answers they are told. 


The board's scope in risk governance is comprehensive. How- 
ever, its responsibility to take a proactive approach does not 
suggest a day-to-day involvement. Rather, its role is to ensure 
that the processes and procedures around the delegation and 
implementation of risk management decisions are performing as 
planned. As discussed previously, the 2007-2009 financial crisis 
highlighted the need to strengthen the role of the board and its 
commitment to risk management. 


Board members need to be trained on risk issues and on how 
to evaluate and define the firm's risk appetite. They need to be 
able to assess the firm's capacity for risk over a specified time 
horizon while considering the firm's mix of business activities, 
earnings goals, strategic objectives, and competitive position. 
This will allow the board to understand the firm’s risk profile and 
monitor its performance relative to the risk appetite. 


The board should also have a risk committee whose members 
have enough analytic sophistication and business experience to 
properly analyze key risks. The board risk and audit committees 
should be two separate entities, given that each requires differ- 
ent skills to meet its respective responsibilities. 


3.3 RISK APPETITE STATEMENT 


Publishing a risk appetite statement (RAS) is an important com- 
ponent of corporate governance. The Financial Stability Board 
(FSB)? describes an RAS as “a written articulation of the aggre- 
gate level and types of risk that a firm will accept or avoid in 
order to achieve its business objectives.” The RAS includes both 
qualitative and quantitative statements.2° 


The objectives of an RAS should be clearly articulated. For 
example, as shown in Box 3.2, objectives include maintaining a 
balance between risk and return, retaining a prudent attitude 


22 Financial Stability Board. (2013, November 18). Principles for an 
Effective Risk Appetite Framework. Retrieved from https://www.fsb. 
org/2013/11/r_131118/ 


23 The FSB also makes the point that an RAS should address “difficult 
to quantify risks such as reputation and conduct risks as well as money 
laundering and unethical practices.” 
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BOX 3.2 RISK APPETITE STATEMENT OBJECTIVES* 


Risk Appetite Statement 


CIBC's risk appetite statement defines the amount of risk we 
are willing to assume in pursuit of our strategic and finan- 
cial objectives. Our guiding principle is to practice sound 
risk management, supported by strong capital and funding 
positions, as we pursue our client-focused strategy. In defin- 
ing our risk appetite, we take into consideration our vision, 
values, and strategy, along with our risk capacity (defined by 
regulatory constraints). It defines how we conduct business, 
which is to be consistent with the following objectives: 


e Safeguarding our reputation and brand; 
e Doing the right thing for our clients/stakeholders; 


e Engaging in client-oriented businesses that we 
understand; 


e Maintaining a balance between risk and returns; 
e Retaining a prudent attitude towards tail and event risk; 


e Meeting regulatory expectations and/or identifying and 
having plans in place to address any issues in a timely 
manner; and 


e Achieving/maintaining an AA rating. 


* Reference CIBC 2017 Annual report, page 44. 


Reprinted with permission of the Canadian Imperial Bank of 
Commerce. 


BOX 3.3 RISK POLICIES, LIMITS, AND MANAGEMENT OVERSIGHT* 


Enterprise-Wide Risk Management Framework 


Risk Appetite Statement and Risk Appetite Framework 


Risk Overarching Framework/Policy | Risk Limits Management Oversight 
Credit Credit Risk Management Policy Credit Concentration Limits Credit Committees 
Delegated Credit Approval Authorities | Global Risk Committee 
Market Capital Markets Risk Market Risk Limits Capital Markets Authorized 
Management Policies Delegated Risk Authorities Products Committee 
Structural Risk Management Global Risk Committee 
Policy Global Asset Liability Committee 
Operational | Operational Risk Management Key Risk Indicators Operational Risk and Control 
Policy Committee 
Control Framework Global Risk Committee 
Reputation | Reputation Risk Management Key Risk Indicators Reputation and Legal Risks 
Framework and Policy Committee 
Liquidity Liquidity Risk Management Policy | Liquidity and Funding Limits Global Asset Liability Committee 
Pledging Policy Pledging Limits Global Risk Committee 
Strategic Strategic Planning Policy Risk Appetite Statement Executive Committee 
Regulatory | Regulatory Compliance Manage- | Key Risk Indicators Global Risk Committee 
ment Policy 


* Reference CIBC 2017 Annual report, page 45. 
Reprinted with permission of the Canadian Imperial Bank of Commerce. 


toward tail and event risk, and achieving a desired credit rating. b) Be linked to the institution's short- and long-term strate- 


The FSB states that: gic, capital, and financial plans, as well as compensation 


” 
“[a]n effective risk appetite statement should: Programs siss 


A summary list of key risk policies and limits should be 


a) Include key background information and the assump- 
) y g p made transparent to all shareholders. For example, Box 3.3 


tions that informed the financial institution's strategic 


x i shows a list of all the key risk types, the relevant policies, 
and business plans at the time they were approved y yP P 
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Capacity, Appetite, and Tolerance 


Tolerance 


| Target | 


At most firms, the key risk manage- 
ment policies and procedures are 
approved by the board audit and 
risk management committees. These 
1 committees also review the imple- 
mentation of these policies and 


2 I examine their efficacy. They interpret 
Appetite the board-approved risk appetite 
1 and break it down into a set of 
I practical restrictions and limitations. 
1 These new rules are then dissemi- 
i nated throughout the organization 
I by the executive staff and depart- 
I ment heads. 
I Capacity Performance 
— S (ae The Board Audit 
GEK] Risk profile, risk appetite, risk capacity and performance. Committee 


Source: COSO, Enterprise Risk Management, Integrating with Strategy and Performance, June 2017, 


Figure 7.5, page 62. Reprinted by permission. 


the types of risk limits, and the management responsible 
for oversight. 


An RAS should contain risk appetite and risk tolerance measures 
that limit the amount of risk taken at the business unit level as 
well as the organizational level. The RAS should also make trans- 
parent the relationship between risk appetite, risk capacity, risk 
tolerance, and the current risk profile. 


As shown in Figure 3.1, risk tolerance refers to the range of 
acceptable outcomes related to achieving a business objec- 
tive. Risk tolerance (see dotted lines in Figure 3.1) is a tactical 
measure, whereas risk appetite is a broader aggregate mea- 
sure of the amount at risk. Risk appetite is set at a level suf- 
ficiently below the risk capacity to ensure that the actual risk 
stays well below the risk capacity of the firm. The goal here 
is to keep the actual risk profile within the established risk 
tolerance bands. Operating within the risk tolerance bands 
provides management with comfort that the firm can achieve 
the desired risk-adjusted return objectives subject to limiting 
the amount at risk. 


3.4 IMPLEMENTING BOARD-LEVEL 
RISK GOVERNANCE 


The previous sections have outlined the rationale and some of the 
objectives of risk governance This section examines the mecha- 
nisms used by financial institutions (as well as other risk-taking 
corporations) to implement risk governance best practices. 


An effective audit committee is 
essential to the directors’ oversight 
of the firm. In addition to being 
accountable for the accuracy and 
completeness of a firm’s financial and regulatory disclosures, the 
audit committee is responsible for ensuring the firm's compli- 
ance with best-practice standards in non-financial matters as 
well. Regulatory, legal, compliance, and risk management activi- 
ties all fall under the purview of the audit committee. 


An audit provides the board with independent verification of 
whether the firm is doing what it claims to be doing. This critical 
verification function sets the audit committee’s work apart from 
the work of other risk committees. 


At the same time, however, the audit committee’s duties extend 
beyond the search for discrepancies and infringements. The 
committee must assess not only the veracity, but also the quality 
of the firm’s financial reporting, compliance, internal controls, 
and risk management processes, For example, in its review of 
financial statements, the audit committee must not only confirm 
the accuracy of the financial statements, but that the firm suf- 
ficiently addresses the risk of possible material misstatements 

in its reporting as well. The financial crisis revealed the failure of 
many firms’ audit committees to uncover the excess risk under- 
taken in proprietary trading, or to alert their boards to the risk 
of holding disproportionately large positions in structured credit 
products. 


To successfully execute their duties, audit committee members 
must be knowledgeable, capable of independent judgment, 
financially literate, and have the utmost integrity. Members can- 
not be afraid to challenge management and ask hard questions 
when needed. In most banks, a director who is not a member 
of the executive staff chairs the audit committee, and most of 
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its members are independent as well. Although the audit com- 
mittee’s relationship with management can be adversarial at 
times, the two groups need to foster an amicable and produc- 
tive relationship in which all lines of communication are always 
kept open. 


The Evolving Role of a Risk Advisory 
Director 


It is unreasonable to expect the entire board to possess the 
skills necessary to analyze the financial condition of complex 
risk-taking corporations (which financial institutions are by defini- 
tion). This is particularly true if the appointed independent direc- 
tors include individuals who originate from other industries 
beyond the financial services sector®* and who have no connec- 
tions to the enterprise. This practice can be problematic, 
because (historically) it has been a simple matter for executives 
to befuddle non-executives who lack the skills and/or confi- 
dence to challenge them. Director training programs, as well as 
outside professional support, can be helpful in this regard. 


One approach is for the board to include a risk specialist. This is 
typically an independent member of the board (not necessarily 
a voting member) who specializes in risk analysis and manage- 
ment. This person's job is usually to enhance the efficacy of the 
executive risk committee and the audit committee. This involves 
examining risk governance in terms of the risk policies approved 
by the board, as well as the methodologies and infrastructure 
used to execute and oversee them. 


These risk advisory directors can also keep board members 
apprised as to the best practices in corporate governance and 
risk management. They can also give their professional opinion 
on risks associated with the firm's core business model and the 
areas of activity in which the firm operates or seeks to pursue. 


The Special Role of the Board Risk 
Management Committee 


A board risk management committee is responsible for setting 
the firm’s risk appetite and independently reviewing the gover- 
nance of all material risks. The committee's review includes an 
analysis of policy guidelines, methodologies, and risk manage- 
ment infrastructure. By maintaining direct contact with external 
and internal auditors, a board risk management committee 
can allow for better communication between the board and 
management. 


24 This is often done by design. 


In addition, the board of directors typically delegates the respon- 
sibility for approving and reviewing the risk levels to the board 
risk management committee. Its role, as well as the terms of its 
oversight, are usually formally approved and documented by the 
board. The board risk management committee also monitors 
financial, operational, business, reputational, and strategic risks. It 
reports to the board on various issues (e.g., the extension of spe- 
cial credit should the firm exceed the risk limits set by the board). 


3.5 RISK APPETITE AND BUSINESS 
STRATEGY: THE ROLE OF INCENTIVES 


This section illustrates how structure meets process to ensure 
that a firm's regular activities are appropriate given its risk appe- 
tite and the limits defined by the various board and executive 
committees. 


The process can be summarized as follows. 


e The board risk committee approves the firm's risk appetite on 
an annual basis. This risk appetite is based on a set of broad, 
yet clearly defined, risk metrics (e.g., the total interest rate 
risk assumed by the bank). 


e The firm’s senior risk committee (which is led directly by the 
CEO and typically includes the CRO, the CFO, the treasurer, 
chief compliance officer, and the executives in charge of the 
various business units) is empowered by the board to imple- 
ment and oversee the risk appetite framework. 


e Under the board's authority, the senior risk committee deter- 
mines the limiting parameters for financial (e.g., credit and 
market) and nonfinancial risk (e.g., business risk and opera- 
tional risk) undertaken by the firm. Sub-committees may be 
established to handle each type of risk independently. For 
example, the firm's credit risk committee would set limits on 
the magnitude and type of credit risk undertaken, as well as 
oversee credit risk reporting. 


e After setting risk ceilings, the senior risk committee then 
reports back to the board risk committee with recommenda- 
tions regarding the total risk deemed prudent (which are sub- 
ject to the latter's consideration and approval). 


The Role of the CRO 


The senior risk committee also bears responsibility for the estab- 
lishment, documentation, and enforcement of any corporate 
policies concerning risk. It also sets risk limits for specific busi- 
ness activities, which are then delivered to the CRO. The CRO 

is usually a member of the risk committee and is responsible for 
the design of the firm’s risk management program (in addition 
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to other responsibilities). The CRO is also responsible for risk 
policies, analysis approaches, and methodologies, as well as 
the risk management infrastructure and governance inside the 
organization. 


The bank's senior risk committee delegates the power to make 
day-to-day decisions to the CRO. This includes the ability to 
approve risks exceeding preset limits imposed on the various 
business activities, provided these exceptions remain within the 
bounds of the overall board-approved limits. 


For example, each business unit may be given authorization to 
assume a certain maximum level of risk up to a certain ceiling. The 
firm's senior risk committee reviews and approves each business 
unit's mandate periodically, and the CRO is responsible for moni- 
toring these limits. In larger financial institutions, the best practice 
is for such processes (e.g., the development and approval/renew- 
ing of such risk-taking allowances) is clearly defined. Usually, 

any such approval is valid for one year following approval by the 
senior risk committee. However, the CRO may approve an exten- 
sion of the mandate to accommodate the committee’s schedule. 


Although CROs are typically part of the management team, it is 
critical for them to be granted both the authority and indepen- 
dence to effectively discharge their duties. The global financial 
crisis, along with the problems exemplified by the MF Global 
bankruptcy, underscore the need to fortify CRO independence 
and authority. CROs should be proactively involved in setting 
risk strategy as well as in the implementation and managerial 
oversight of risk management. They should also report directly 
to the CEO, maintain a seat on the board risk committee, and 
have a voice in approving new financial instruments and lines of 
business. Most importantly in this regard, the CRO should have 
a clear mandate to bring any situation that potentially compro- 
mises the bank's risk appetite guidelines or its risk policy to the 
attention of management at all levels and to the board. 


At many banks, CROs act as a liaison between the board and 
management. They keep the former apprised as to the enter- 
prise’s risk tolerance and the efficacy of its risk management pro- 
gram, alerting it to deficiencies in the system. At the same time, 
the CRO communicates the board's views to management and 
distributes this information throughout the entire organization. 


All organizations must strike a balance between ensuring they 
can achieve their objectives and maintaining risk standards. The 
CRO is responsible for independently monitoring these standards 
on an ongoing basis. He or she may order specific units to cut 
back or entirely close positions in the wake of concerns regarding 
exposures to market, credit, operational, or business risks. 


Corporations may also appoint business risk committees for 
each major line of business. A business risk committee typi- 
cally comprises both business and risk personnel. Its goal is to 


align business unit decisions with the organization's desired 
risk/reward tradeoff and ensure proper risk management at 

the business line level. The business risk committee can be 
responsible for articulating how a given risk will be handled in 
accordance with how risk management for a specific business 
relates to the overall risk function. Additionally, the authority to 
approve policies related to more business-specific risk and to 
conduct detailed reviews of business-level risk limits can also be 
entrusted to the business risk committee. 


Limits Policies 


Optimal risk governance requires the ability to link risk appetite 
and limits to specific business practices. Accordingly, appropri- 
ate limits need to be developed for each business as well as for 
the specific risks associated with the business (as well as for the 
entire portfolio of the enterprise). 


Market risk limits are designed to constrain exposure to risk 
derived from price, interest rate, and currency changes. Credit 
risk limits are intended to cap a firm's exposure to defaults or an 
erosion in the quality of credit exposures (e.g., those originating 
from the lending portfolio or through derivative transactions). 
Banks also tend to place exposure to other types of risk (e.g., 
asset/liability management, liquidity, or even catastrophe risk) 
on their policy agenda as well. The nature of any given limit 

will vary and is driven by the nature of the risk in question, the 
competitive positioning of the firm, and the span of its activities. 
Best practice dictates that the processes involved in setting risk 
limits, reviewing exposures, approving exceptions to risk limit 
policy, and analyzing methodologies be documented. 


Best practice in risk management often employs analytical meth- 
odologies to measure risk. When analyzing credit risk, a bank's 
potential exposure can be analyzed by risk grade. Risk-sensitive 
methodologies (e.g., VaR) are useful in the assessment of risk for 
most typical portfolios under an assumption of relatively normal 
market conditions. However, they are less applicable in stressed 
circumstances or for more specialized portfolios. Accordingly, 
best practices call for scenario analysis and stress testing to be 
included in the risk analysis toolbox and incorporated within the 
limit framework in order to validate survivability under worst- 
case conditions. 


Most banking entities set two types of limits. 


1. Tier 1 limits are specific and often include an overall limit 
by asset class, an overall stress-test limit, and a maximum 
drawdown limit. 


2. Tier 2 limits are more generalized and relate to areas of 
business activity as well as aggregated exposures catego- 
rized by credit rating, industry, maturity, region, and so on. 
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Standards for the metrics employed by risk limits are proposed 
by the CRO and approved by the internal risk committee. Practi- 
cally speaking, these limits should be designed such that the 
probability of exceeding them during the normal course of busi- 
ness is low. Limit determination needs to take the business unit's 
historical behavior into account and to aim for a figure that gives 
the business unit a margin for error. For example, a bank may 
decide to design their Tier 1 limits on market risk such that, dur- 
ing the normal course of business and under normal market con- 
ditions, the unit's exposures range from 40% to 60% of the set 
limit and perhaps the peak limit utilization (again, under normal 
market conditions) should hit 75% to 85% of this ceiling.2> 


A consistently designed limit structure helps banks to consoli- 
date their risk management across diverse businesses. When 
limits are calculated in a unified manner and expressed in terms 
of economic capital, or a similar unified term, it is then possible 
to apply Tier 2 limits across business lines. 


Monitoring Risk 


The setting of meaningful risk limits marks the beginning, rather 
than end, of the risk management process. Once set, these 
limits must be closely monitored to verify compliance. Of all the 
types of risks discussed in the previous section, market risk is the 
most time-sensitive and thus requires continual monitoring. 


To monitor market risk limits effectively, the daily valuation of 
asset positions is imperative. Profit and loss statements should 
be prepared outside of the bank's trading department and sub- 
mitted to (non-trading) executive management. In addition, all 
assumptions used in the valuation models should be indepen- 
dently verified. Similarly, the trading team’s adherence to risk 
policy and market risk limits, as well as the bank's escalation plan 
for dealing with exceptions, should be documented on a timely 
basis. Procedures covering the treatment of acceptable limit 
exceptions and unacceptable violations should be articulated in 
writing and made clear to managers and traders alike. 


The assessment of portfolio valuation methods constitutes an 
integral part of risk limit monitoring. The variance between a 
portfolio's actual volatility and that predicted under the bank's 
risk measurement methodology should be evaluated on a regu- 
lar basis. Stress tests should be done to ascertain the impact 

of material changes to market and credit risk on the bank's 
earnings. 


Where time is of the essence, the most appropriate source 
of information may well be the front office. For example, risk 


25 This is just an illustrative example; some organizations may prefer lim- 
its set at higher or lower levels. 


measures relating to the monitoring of intra-day trading expo- 
sures may need to be extracted directly from the day’s accu- 
mulated client orders. Data used in the monitoring of market 
limits, in contrast, should be obtained from consolidated mar- 
ket data feeds not connected to front office systems. To ensure 
integrity, this data must be reconciled with entries in the bank's 
official books and their format must facilitate risk measure- 
ment, such as with VaR methodologies for calculating market or 
credit risk. 


In the implementation of both Tier 1 and Tier 2 limits, business 
units must adhere to strict protocols regarding prior disclosure 
of anticipated limit violations to the risk management function. 
The CRO must be notified well in advance of potential limit 
deviations. If risk management is alerted to a planned excess, 
the probability that this excess will be approved is higher. 


For example, business unit heads may be compelled to issue an 
alert when an exposure reaches a certain threshold (e.g., 85% of 
the limit). The CRO, jointly with the unit head, could then petition 
the bank's business risk committee for a temporary limit increase. 
Upon approval, the business risk committee would then submit 
the request for final approval by the senior risk committee. 


Should the limit be breached, the risk management function 
should immediately record all excesses on a daily limit excep- 
tion report that distinguishes between Tier 1 and Tier 2 limit 
exceptions. This report specifies the circumstances and ratio- 
nale for the exceedances and outlines how the bank plans to 
handle them. 


Tier 1 limit exceedances must be cleared or corrected imme- 
diately. Tier 2 exceedances are less urgent and can be cleared 
within a few days or a week. The CRO should then list all Tier 1 
and Tier 2 limit exceedances on an enterprise exception report, 
which captures all exceptional risk activity at the enterprise level. 
This report is then submitted for discussion at the daily risk meet- 
ing. No manager, including the CEO, should be authorized to 
exclude risk limit exceedances from the daily exception report. 


There is an opportunity cost inherent in effective risk limit man- 
agement. Because the bank prevents the preemptive assump- 
tion of additional risk, it may have to forfeit opportunities for 
additional profits. As a given limit is neared, a bank should con- 
duct a cost-benefit-risk analysis to decide if an exception should 
be made. 


3.6 INCENTIVES AND RISK-TAKING 


One lesson from the global financial crisis is that the prevail- 
ing executive compensation schemes at many financial institu- 
tions encouraged short-term risk-taking, causing management 
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to often underestimate and at times entirely ignore long-term 
risks. The trend to reward bankers and traders with bonuses tied 
to short-term profits, or to the volume of business activity, had 
grown in the two decades preceding the crisis. This incentivized 
these individuals to front load income and push off risk. Compen- 
sation schemes were structured like call options in that they had 
unlimited upside but were capped on the downside. Executives 
collected bonuses when the bank posted profits, but there was 
no real penalty attached to poor performance or losses. Aided 
by excessive leverage, bank personnel were literally able to “bet 
the bank” on astonishingly reckless investment strategies. 


In many jurisdictions, regulations now require public firms to 
establish a dedicated board compensation committee to set 
executive compensation. Such regulation is driven by concerns 
over the ability of CEOs to persuade board members to com- 
pensate themselves and other executives at the expense of 
shareholders, who have virtually no say in such decisions. 


It is now widely recognized that compensation is part of a sound 
risk culture. Specifically, it should be aligned with the long-term 
interests of shareholders and other stakeholders, as well as with 
risk-adjusted return on capital. It should incentivize employees to 
take calculated, rather than reckless, risks. Banks must address any 
potential distortions arising from the way they structure compen- 
sation. The incorporation of risk management considerations into 
the setting of performance milestones is on the rise and is already 
considered a leading practice. Compensation planning is increas- 
ingly considered a key facet of enterprise-wide risk management. 


That said, one must recognize that firms will always be tempted 
to offer attractive compensation packages to so-called “rain- 
makers” who exhibit an unusual talent for generating revenues. 
Absent international cooperation, the market for human capital 
may be subject to regulatory arbitrage as banking enterprises 
cherry pick the jurisdictions in which they operate. 


In September 2009, the G-20 countries called on their respec- 
tive central bank governors and finance ministers to establish an 
international framework to promote financial stability, including 
a reform of compensation practices. In an endorsement of the 
FSB’s implementation standards, the G-20 recommendations 
included: 


e The elimination of multi-annual guaranteed bonuses; 


e The incorporation of executive downside exposure through 
the deferral of certain compensation, the adoption of share- 
based remuneration to incentivize long-term value creation, 
and the introduction of clawback provisions that require reim- 
bursement of bonuses should longer-term losses be incurred 
after bonuses are paid; 


e Limitations on the amount of variable compensation granted 
to employees relative to total net revenues; 


e Disclosure requirements to enhance transparency; and 


e Affirming the independence of the committees responsible 
for executive compensation oversight to ensure their align- 
ment with performance and risk. 


In 2014, the FSB reported that implementation of these stan- 
dards was essentially complete in almost all FSB jurisdictions. In 
some jurisdictions (e.g., the European Union), regulators went 
beyond the recommended standards and adopted bonus caps 
equal to 100% of an executive's salary or, if approved by two- 
thirds of shareholders, 200% of their salary. 


Share-based compensation aims to align the respective 
interests of executives and shareholders. Theoretically, 
occupying the same boat as other shareholders should curb 
excessive executive risk-taking. However, this is not neces- 
sarily the case. Prior to the collapse of Lehman Brothers, for 
example, employees held approximately one third of the firm's 
shares. One must also bear in mind that share ownership can 
also encourage risk-taking because while potential shareholder 
gains are infinite, losses are limited to their investment. 


One remedy for this dilemma could be to turn employees into 
the bank's creditors by introducing restricted notes or bonds 
tied to compensation schemes. Swiss bank UBS adopted such a 
solution in 2013. It paid its most highly compensated employees 
in part with bonus bonds that are forfeited if the bank's regula- 
tory capital ratio falls below 7.5% or the company needs a 
bailout.” 


3.7 THE INTERDEPENDENCE OF 
ORGANIZATIONAL UNITS IN RISK 
GOVERNANCE 


The implementation of risk management at virtually all levels of 
the enterprise is primarily the responsibility of the bank's staff, 
rather than the board committees, Executives and line busi- 
ness managers need to work together to manage, monitor, and 
report the various types of risk being undertaken. Figure 3.2 
outlines how risk management flows and is shared by various 
management functions. Business managers also play an impor- 
tant part in the verification of timely, accurate, and complete 
deal capture and their affirmation of official profit and loss (P&L) 
statements. 


26 G20 Leaders Statement: The Pittsburgh Summit, September 24-25, 
2009, Pittsburgh http://www.g20.utoronto.ca/2009/2009communique 
0925.html (accessed 19/4/2018). 


27 In December 2012, the European Banking Authority expressed the 
view that senior bankers should be required to receive part of their 
annual bonus in bonds that would suffer losses during a financial crisis. 
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Senior Management 


e Sets business level risk tolerances 


Business Line 


e Takes on and manages exposure to 


—___» i 
e Designs and manages policy approved risks 
e Evaluates performance e Verifies valuations 
Risk Management Finance & Operations 
e Manages risk policy development and e Sets and manages valuation & finance 
implementation policies 
e Monitors limits a e Oversees official valuations— 
e Controls model implementation risks including independent verifications 
e Gives senior management e Manages and supports analyses 
independent risk assessments required for business planning 
© Ensures proper settlement/deal 
capture/documentation 
EMA interdependence in risk management. 


A bank's operations function not only shares in the implementa- 
tion of risk management but plays a critical role in risk oversight 
as well. In investment banks, for example, its role is to indepen- 
dently execute, record, and settle trades; reconcile front and 
back-office positions; and chronicle all transactions. The opera- 
tions staff also prepares earnings reports as well as independent 
valuations of the bank's positions (e.g., mark-to-market). 


The finance group, on the other hand, is responsible for devel- 
oping valuation and finance policies, ensuring the accuracy and 
completeness of reported earnings, and reviewing independent 
valuation methodologies and processes. Finance also manages 
business planning and is called upon to support the financial 
needs of the various business lines. 


3.8 ASSESSING THE BANK’S AUDIT 
FUNCTION 


The previous sections outlined a risk management process that 
conforms to risk governance. Adherence to this process can pre- 
vent the assumption of unbridled excessive risk. However, the 
risk governance function alone cannot ascertain compliance to 
the policies established by the board and external regulations. 


This is where the audit function comes in. It is incumbent upon 
the internal audit function to ensure the set-up, implementation, 
and efficacy of risk management/governance. 


To this point, regulators typically require the internal audit func- 
tion to review all processes, policies, and procedures related 


to risk management. A comprehensive review includes, among 
other things, assessing the organization of the risk control unit 
and documentation along with analyzing the integrity of risk 
governance and the efficacy of the risk management process. 
This analysis includes the integration of risk measures into daily 
business management. 


Internal auditors are responsible for: 


e Reviewing monitoring procedures, 


e Tracking the progress of risk management system upgrades, 
assessing the adequacy of application controls in generating 
and securing data, and 


e Affirming the efficacy of vetting processes. 


Best practices also call for the internal audit function to review 
documentation relating to compliance and to compare this with 
the standards stipulated in the regulatory guidelines.?° It should 
also offer its opinion on the reliability of any VaR reporting 
framework. 


Taking market risk as an example, bank auditors are called upon 
to review the vetting process pertaining to the derivative valu- 
ation models used by both the front office and the back office. 
They must sign off on any significant changes to the risk quanti- 
fication process as well as validate the range of risks analyzed by 
the various risk measurement models. Internal auditors are also 
required to inspect the reliability of information systems as well 


28 Such standards include qualitative and quantitative criteria. 
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as the validity and completeness of the data on which market 
risk metrics are computed. 


Regulatory requirements notwithstanding, a key task undertaken 
by the audit function should be the evaluation of the design and 
conceptual soundness of risk measurement. Internal auditors 
should validate market risk models by back testing investment 
strategies. Additionally, they should evaluate the soundness of 
risk management information systems (also called risk MIS) used 
in the quantification of risk throughout the enterprise. These can 
include coding processes, internal model applications, and con- 
trols over position data capture. Similarly, auditors should ana- 
lyze assumptions pertaining to volatility, correlations, and other 
parameter estimates. An auditor's responsibilities often include 
ensuring the veracity of the market databases used to generate 
VaR parameters. 


A risk management function can be rated. This rating may be 
used internally or by third parties (e.g., rating agencies) that 
undertake comparative analyses of multiple enterprises. There is 
no one formula for excellence in risk management. Despite this, 
the rating of risk management practices would be instrumental 
in facilitating comparisons across an organization so that both 
the internal and external parties can benefit from such objective 
critiques. 


The Institute of Internal Auditors (IIA) has devised a set of stan- 
dards relating to internal controls, governance, and risk manage- 
ment. The organization’s International Professional Practices 
Framework (IPPF) articulates standards, some of which are 
mandatory and others that are strongly recommended. 


The mandatory standards and ethical code define the require- 
ments for professional practice.2? The recommended guidance 
outlines how these standards should be applied and imple- 
mented in practice.°° 


Within the industry, there has been an active debate as to 
whether the audit function should have effective oversight of 
the firm's operational risk management.>' Note that the audit 
has a natural interest in the quality of internal controls. While 
subject to auditor review, however, the implementation of risk 
management must remain separate from the auditing function. 
As a basic principle, auditor independence from the underlying 
activity is essential to ensure confidence in any assurances or 
opinions rendered by the auditors to the board, and this 
applies equally to the risk management function and its associ- 
ated processes. Unless this independence is maintained, con- 
flicts of interest could compromise the quality of both risk 
management and audit activity and seriously jeopardize risk 
governance. 


29 See the Professional Guidance section of the IIA’s website: 
https://global.theiia.org/standards-guidance/Public%20 
Documents/IPPF-Standards-2017.pdf. 


30 The Institute of Internal Auditors. (n.d.). Recommended Guidance. 
Retrieved from https://global.theiia.org/standards-guidance/ 
recommended-guidance/Pages/Strongly-Recommended-Guidance.aspx 


31 See M. Crouhy, D. Galai, and R. Mark, “Key Steps in Building Consistent 
Operational Risk Measurement and Management.” In Operational Risk 
and Financial Institutions, ed. R. Jameson, London: Risk Books, 1998. 
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QUESTIONS 


True/False Questions 


3.1 


3.2 


3.3 


After establishing a risk limit, a bank should plan to 
maintain a risk exposure level just below the limit during 
the normal course of business. 


A. True 
B. False 


The standards set in the “Basel Accord” are legally 
binding in all banks in most countries. 


A. True 
B. False 


Basel Ill designed a macroprudential overlay leverage 
ratio of 5% intended to reduce systemic risk and lessen 
pro-cyclicality. 

A. True 

B. False 


Short Concept Questions 


3.6 


3.7 
3.8 


3.9 


3.10 


3.11 


3.12 


The Dodd-Frank Act overhauled the regulation of financial 
institutions in the United States, aiming at improving 

both consumer protection and systemic stability. List and 
discuss three issues that the Dodd-Frank Act tried to 
address? 


Describe what is involved in risk governance. 


What went wrong in MF Global after 2010? How was it 
related to corporate governance issues? 

Describe key points involved in constructing a risk 
appetite. 

What are the four basic choices a bank needs to make 
regarding a potential risk exposure? 

How would one assess the stature of the CRO in the 
organization? 


Describe what a "Risk Appetite Statement” (RAS) is and 
the objectives of a RAS. 


3.4 


3.5 


3.13 


3.14 


3.15 


3.16 


3.17 


3.18 


The board of directors should be responsible for 
overseeing and approving a firm's risk governance. 

A. True 

B. False 

Conflicts of interest between senior management and 
other internal management are referred to as “agency 
problems.” 

A. True 


B. False 


What is the difference between Tier 1 and Tier 2 limits? 


What were three recommendations from the Financial 
Stability Board regarding compensation after the 
2007-2009 financial crisis? 


What are the roles of the senior management risk 
committee? 


What are the key roles and responsibilities of an internal 
audit function? 


Describe three key roles and responsibilities of the board 
of directors. 


Describe the roles and responsibilities of the board audit 
committee. 
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Multiple Choice Questions 


3.19 According to the Sarbanes-Oxley (SOX) Act, who is 3.22 Risk governance does not include 
required to certify the accuracy of the financial reports? A. setting limits on risk exposures. 
A. The chief risk officer (CRO) only B. setting the infrastructure for risk management 
B. The chief executive officer (CEO) only information flows. 
C. The chief financial officer (CFO) only C. allowing for transparency of risk procedures. 
D. CEO, CFO, and CRO only D. setting methodologies to assess credit risk. 
E. CEO and CFO only 3.23 The major roles of the audit committee do not include 
3.20 Which of the following is not a concern of corporate A. reviewing the risk management process. 
governance in banks? B. preparing the annual financial report. 
A. Ensuring competitive positioning of the bank in each C. analyzing the integrity of risk governance. 
market D. affirming the reliability of vetting processes. 


B. Determining the risk appetite 3.24 The roles of the senior management risk committee 


C. Board composition 


include 
D. Compensation policy A. calculations of the daily VaR. 
3.21 Which of the following was not an aim of the B. reviewing the daily VaR. 
Dodd-Frank Act? C. planning the scenario analysis. 
A. Verifying the accuracy of financial reports D. setting risk limits for specific business activities. 


B. Living Will and resolution plan 
C. Stress testing and scenario analysis 
D. Protecting consumers 


Chapter 3 The Governance of Risk Management E 57 


The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


3.1 


3.2 
3.3 
3.4 
3.5 


3.6 


58 E 


False, because the bank should operate well below its 
risk limits during the normal course of business 


False 


False, because the leverage ratio is 3%. 


True 


False, because “agency risk” puts the interests of man- 
agement squarely against those of a company's longer- 


term stakeholders. 


Include any of the following seven elements. 


e Strengthening the Fed: The Act extended the 
regulatory reach of the Federal Reserve (i.e., the Fed) 
in the areas concerned with systemic risk. All the sys- 
temically important financial institutions (SIFls), which 
are defined as bank holding firms with more than USD 
50 billion of assets, are now regulated by the Federal 
Reserve and the Fed's mandate now includes macro- 
prudential supervision. 


e Ending too-big-to-fail: Dodd-Frank proposed an end 
to “too-big-to-fail” by creating an orderly liquidation 
authority (OLA). 

e Resolution plan: SIFls are required to submit a 
so-called “living will” to the Federal Reserve and 
the Federal Deposit Insurance Corporation (FDIC) 
that lays out a corporate governance structure for 
resolution planning. 


e Derivatives markets: The Act launched a transparency- 
focused overhaul of derivatives markets regulation 
with the aim of helping market participants with 
counterparty risk. 


e The Volcker Rule: This is a prohibition on proprietary 
trading, as well as the partial or full ownership/ 
partnership of hedge funds and private equity funds 
by banking entities. 

e Protecting consumers: The Act created a Consumer 
Financial Protection Bureau (CFPB) to regulate 
consumer financial services and products. 

e Stress testing: The Act instituted a radically new 


approach to scenario analysis and stress testing, with 
the following characteristics. 


e A top-down approach with macroeconomic 
scenarios unfolding over several quarters; 


e A focus on the effects of macroeconomic down- 
turns on a series of risk types, including credit risk, 
liquidity risk, market risk, and operational risk; 

e An approach that is computationally demanding, 
because risk drivers are not stationary, as well as 
realistic, allowing for active management of the 
portfolios; 

e A stress testing framework that is fully incorpo- 
rated into a bank's business, capital, and liquidity 
planning processes; and 

e An approach that not only looks at each bank in 
isolation, but across all institutions. This allows for 
the collection of systemic information showing how 
a major common scenario would affect the largest 
banks collectively. 


3.7 Risk governance involves 


Setting up an organizational infrastructure of human, 
IT, and other resources as well as articulating formal 
procedures for defining, implementing, and oversee- 
ing risk management; and 

Transparency and the channels of communication 
established within the organization as well as with 
external stakeholders and regulators. 


3.8 Key points include the following. 


Jon Corzine was appointed chairman of the board and 
CEO of MF Global In 2010. 


MF Global was experiencing liquidity and compliance 
problems. 


Despite repeated warnings by the company’s chief 
risk officer, MF Global made huge proprietary invest- 
ments in European sovereign debt. These investments 
soured in 2011, exacerbating the company’s liquidity 
problems. 


Liquidity problems led to the loss of shareholder and 
client confidence, and ultimately to the firm’s collapse. 


The company allegedly misappropriated client funds 
to meet the cash crunch. 


3.9 Key points include the following. 


Risk appetite is intimately related to business strategy 
and capital planning. 


Certain activities may be categorically inappropriate 
for an enterprise given the type of risk involved. 
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Business planning must take risk management into 
consideration from the outset. 


The matching of strategic objectives to the risk appe- 
tite must be incorporated into the planning process. 
Clear communication of the firm’s risk position and 


risk appetite is essential so that appropriate limits can 
be set on various risk-bearing activities. 


3.10 The choice to: 


Not undertake certain activities, 
Transfer either all or part of a certain risk to third parties, 


Preemptively mitigate risk through early detection and 
prevention, and 


Assume the risk while being fully cognizant of both 
the upside and downside implications. 


3.11 Questions to ask include the following. 


3.12 


Is the risk manager a member of the executive 

staff and can this position lead to other career 
opportunities? 

How independent is the risk manager? 

What authority does the risk manager hold? 

To whom does the risk manager report? 

Are risk managers comparatively well paid relative to 
other employees who are rewarded for performance? 
Is the enterprise's ethical culture strong and resilient 
to the actions of bad actors? 


Has the bank set clear-cut ethical standards and are 
these standards actively enforced? 


A risk appetite statement: 


Is an important component of corporate governance, 


Articulates the level and types of risk a firm is willing 
to accept to reach its business goals, 


Includes both qualitative and quantitative statements, and 


Helps to reinforce a strong risk culture. 


Objectives include 


Maintaining a balance between risk and return; 
Retaining a prudent attitude toward tail risk and event 
risk; 

Achieving a desired credit rating; 


Linking short-term capital and long-term capital, 
financial and strategic plans, as well as compensation 
structure; 


Setting risk appetite and risk tolerance measures 
which limit the amounts at risk that are expressed 
at the business unit level and on an enterprise 
level; and 


Making transparent the relationship between risk 
appetite, risk capacity, risk tolerance and a firm's 
current risk profile. 


3.13 Tier 1 limits: 


Are specific and often include overall limits by asset 
class, an overall stress-test limit, and a maximum 
drawdown limit; and 


Excesses must be cleared or corrected immediately. 


Tier 2 limits: 


3.14 


3.15 


Are more generalized; 


Relate to areas of business activity and aggregated 
exposures to credit ratings, industries, maturities, 
regions, and so on; and 

Excesses are less urgent and can be cleared within a 
within a few days or a week. 


Recommendations include: 


The elimination of multi-annual guaranteed bonuses; 


The incorporation of executive downside exposure 
through the deferral of certain compensation, the 
adoption of share-based remuneration to incentivize 
long-term value creation, and the introduction of 
clawback provisions requiring reimbursement of 
bonuses should longer-term losses be incurred after 
bonuses are paid; 

The placement of limitations on the amount of 
variable compensation granted to employees relative 
to total net revenues; and 


The imposition of disclosure requirements to enhance 
transparency. 


The senior management risk committee: 


Reports back to the board risk committee with recom- 
mendations regarding the total at risk deemed pru- 
dent for the latter's consideration and approval; 


Establishes, documents, and enforces all corporate 
policies in which risk plays a part; 

Sets risk limits for specific business activities, which 
are then delivered to the CRO; and 


Delegates the power to make day-to-day decisions 
to the CRO. This delegation includes the power to 
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approve risks exceeding preset limits imposed on 
the various business activities, provided these excep- 
tions remain within the bounds of the overall board- 
approved limits. 


3.16 Key roles and responsibilities include: 


Independently assessing risk governance as well as 
the implementation and efficacy of risk management; 
Reviewing the risk management process, a compre- 
hensive review includes, among other things, assess- 
ing adequacy of the organization of the risk control 
unit and documentation; 


Analyzing the integrity of risk governance and the 
efficacy of the risk management process, including 
the integration of risk measures into daily business 
management; 


Examining the monitoring procedures, for tracking the 
progress of risk management system upgrades; 
Assessing the adequacy and effectiveness of applica- 
tion controls in generating and securing data; 
Affirming the reliability of vetting processes; 
Comparing compliance documentation with qualita- 
tive and quantitative criteria stipulated by regulations; 
Offering its opinion on the reliability of any risk 
exporting framework; and 

Evaluating the risk measurement methodologies both 


in terms of theory as well as implementation, includ- 
ing stress-testing methodologies. 


3.17 Such roles and responsibilities include: 


60 


Assessing the fundamental risks and rewards engen- 
dered in the bank's business strategy, based on a 
clear understanding of the latter's direction and goals; 


Harmonizing risk appetite with the bank's strategic plan; 
Being accountable for risk transparency; and 
Making sure that: 


e Any major transaction undertaken is in-line with 
authorized risk taking as well as with the relevant 
business strategies. 

e An effective risk management system is in place 
that enables corporation to further its strategic 
objectives within the confines of its risk appetite. 

e Procedures for identifying, assessing, and handling 
the various kinds of risk are effective. 

e Executives are compensated based on their risk- 
adjusted performance and that the incentives 


3.18 


3.19 


3.20 


3.21 


3.22 


3.23 


3.24 


inherent in such compensation do not clash with 
shareholder interests. 

e Disclosure to managers and relevant stakeholders 
is both adequate and compliant with internal cor- 
porate rules and external regulations. 

e The information it obtains concerning the imple- 
mentation of risk management is accurate and 
reliable. 

The board audit committee is responsible for: 


e Assessing the veracity and the quality of the firm's 
financial reporting, compliance, internal control and 
risk management processes; and 


e Compliance with best-practice standards in non-finan- 
cial matters. 


Regulatory, legal, compliance, and risk manage- 
ment activities also fall under the purview of the audit 
committee. 


E. CEO and CFO only 


SOX specifically requires the CEO and CFO to affirm the 
accuracy of all financial disclosures. 


A. Ensuring competitive positioning of the bank in each 
market 


Corporate governance is concerned with proper controls 
around the running of a business entity—not the specif- 
ics of strategy. 


A. Verifying the accuracy of financial reports 


Accuracy of financial reports was an aim of Sarbanes- 
Oxley, not Dodd-Frank. 


D. Setting methodologies to assess credit risk 


The specifics of risk methodologies are not a part of risk 
governance. However, risk governance does extend to 
ensuring the activities around the development of the 
methodologies are appropriately controlled and disclosed. 


B. Preparing the annual financial report 


The audit committee serves as a check on processes 
and procedures. In this case, the audit committee would 
ensure that the process around the report was properly 
controlled and delivered accurate results. 


D. Sets risk limits for specific business activities 


The senior management risk committee empowers the 
CRO to have oversight into the specifics of how risk is 
reported and analyzed as well as the overall day-to-day 
management of risk. 


Financial Risk Manager Exam Part I: Foundations of Risk Management 


Credit Risk Transfer 


Mechanisms 


E Learning Objectives 


After completing this reading you should be able to: 


® Compare different types of credit derivatives, explain their 
applications, and describe their advantages. 


® Explain different traditional approaches or mechanisms 
that firms can use to help mitigate credit risk. 


® Evaluate the role of credit derivatives in the 2007-2009 
financial crisis and explain changes in the credit derivative 
market that occurred as a result of the crisis. 


® Explain the process of securitization, describe a special 
purpose vehicle (SPV), and assess the risk of different busi- 
ness models that banks can use for securitized products. 
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4.1 OVERVIEW OF CREDIT RISK 
TRANSFER MECHANISMS 


The core risk exposure for banks is credit risk. Traditionally, 
banks have taken short-term liquid deposits and provided long- 
term, illiquid loans. Before the new millennium, banks had only 
a limited capacity for managing credit risk exposure. That all 
changed by the end of the twentieth century. 


In 2002, then-Federal Reserve Chairman Alan Greenspan spoke 
of a “new paradigm of active credit management.” He argued 
that the United States banking system had withstood the 
2001-2002 economic slowdown in part because it had trans- 
ferred and dispersed credit exposures using novel credit deriva- 
tives and securitizations. These included credit default swaps 


(CDSs), collateralized debt obligations (CDOs), and collateral- 
ized loan obligations (CLOs).! The investment vehicles are 
briefly described in Table 4.1. The concept of securitization is 
described in Section 4.3. 


This praise may seem misguided, given the role of credit trans- 
fer instruments in the build-up of systemic risk that preceded 
the 2007-2009 global financial crisis. However, the blame ini- 
tially assigned to credit derivatives should in fact be laid at the 
feet of those who used and abused them. 


The CDS and CLO markets remained robust, in certain respects, 
during and following the crisis. As a result, they fulfilled their 
purpose of helping to manage and transfer credit risk. Although 
there were major systemic deficiencies (e.g., conflicts of inter- 
est and transparency issues) that needed to be addressed, the 


bE OLE Definition of key terms and investment vehicles 


Vehicle 


Brief definition 


Asset-backed security 
(ABS) 


A structured product backed by loans and receivables created using the securitization process. 
Examples include: credit card ABS, student loan ABS, automobile and ABS. 


Asset-backed commercial 
paper (ABCP) 


Commercial paper is used by a special purpose vehicle (SPV) to finance a pool of longer-term 
receivables. 


Collateralized debt obliga- 
tion (CDO) 


A structured product backed by a pool of debt instruments (e.g., bonds created using the 
securitization process). 


CDO Squared 


An investment vehicle issued by an SPV using the securitization process that is backed by tranches 
of a collateralized debt obligation. 


Commercial mortgage- 
backed security 


A structured product backed by a pool of commercial mortgage loans created using the 
securitization process. 


Credit default swap (CDS) 


The most popular type of credit derivative. In a CDS, the protection buyer pays a fee to the 
protection seller in return for the right to receive a payment conditional on a credit event by the 
reference obligation or the reference entity. Should a credit event occur, the protection seller must 
make a payment. A single-name CDS is one in which there is one reference entity. When there are 
multiple reference entities, they are referred to as basket CDS. 


Credit derivative 


A vehicle to transfer credit risk from one party to another. Examples include credit default swaps, 
credit debt obligations, and credit-linked notes. 


Credit loan obligation 
(CLO) 


A structured product backed by a pool of commercial bank loans created using the securitization 
process. 


Mortgage-backed security 
(MBS) 


A structured product backed by a pool of residential mortgage loans created using the 
securitization. There are government backed MBS (i.e., MBS backed by Fannie Mae and Freddie 
Mac) and MBS issued by private entities (including subprime MBS) 


Structured investment 
vehicle (SIV) 


A pool of investment assets that seeks to generate a return from the credit spread between 
short-term rates and long-term structured financial products such as asset-backed securities and 
mortgage-backed securities, 


Note: Some of these definitions are obtained from F. J. Fabozzi, Capital Markets: Institutions, Instruments, and Risk Management, Fifth Edition, 


Cambridge, MA: MIT Press. 


1 A. Greenspan, “The Continued Strength of the U.S. Banking System,” 
speech, October 7, 2002. 
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mechanisms themselves were not the real culprit in precipitating 
the crisis. 


Many commentators have come to the view that the role of 
these mechanisms in causing the crisis may have had more 

to do with failings of the pre-crisis securitization process 

than with the underlying principle of credit risk transfer. Note 
that the performance of credit derivative markets was, and 
remains, highly varied. Some parts of the securitization industry 
remained viable through much of the crisis and beyond. This is 
perhaps because their risks remained relatively transparent to 
investors. 


While some credit transfer markets and instruments met their 
demise following the financial crisis, some are now reappearing 
(though not as they were in the past). Some of these instru- 
ments may again become popular as the economy improves 
and if interest rates rise high enough to support costly secu- 
ritization processes. Still others were relatively unaffected by 
the crisis. 


Some of the more robust instruments that survived the 
crisis include CDS and asset-backed securities (ABS), which 
can be backed by assets such as auto loans, credit card 
receivables, equipment leases, and student loans. In addi- 
tion, asset-backed commercial paper (ABCP) and private- 
issue mortgage backed securities (MBS) are expected to 
survive and draw renewed interest. While the CLO market 
was dormant for a few years following the crisis, new CLO 
issuance has grown significantly since 2011, surpassing pre- 
crisis volumes. 


Collateralized debt obligations squared (CDOs-squared), as well 
as other forms of overly complex securitized instruments (e.g., 
single-tranche CDOs and complex ABCP) are unlikely to be 
revived. Their complexity was not meant to make these instru- 


ments better at hedging risk. Rather, it was meant to make them 


easier to market. 


Meanwhile, new credit risk transfer strategies are emerging. 
One example can be seen in the growing number of insur- 
ance companies buying bank loans with the aim of building 
asset portfolios that match their long-term liabilities. The high 
capital costs associated with post-crisis reforms suggest the 
“buy-and-hold” banking model will remain a relatively ineffi- 
cient way for banks to manage risks generated by lending and 
other banking activities. Regulators, as well as industry practi- 
tioners, are interested in securitization market reforms aimed 
at helping banks obtain funding, optimizing risk manage- 
ment, and encouraging liquidity and economic growth. In the 
longer term, the 2007-2009 crisis may end up being viewed 
more as a constructive test of the credit transfer market than 
its undoing. 


4.2 HOW CREDIT RISK TRANSFER 
CAN BE USEFUL 


Banks have long had several ways to reduce their exposure to 
credit risk—both on an individual name and an aggregate basis. 
Such credit protection techniques include the following. 


e Purchasing insurance from a third-party guarantor: When 
done on an individual obligor basis, this is termed a financial 
guarantee and is provided by a special type of insurance 
company called a monoline insurer. Financial guarantees by 
monoline insurers had been common in the U.S. municipal 
bond market and in the ABS market. However, the down- 
grading? and failure of monoline insurers during the financial 
crisis resulted in fewer issuances of municipal bonds and ABS 
with financial guarantees. 


e Netting of exposures to counterparties: Netting is done by 
examining the difference between the asset and liability values 
for each counterparty and having in place documentation spec- 
ifying that these exposures can be netted against each other. 
Otherwise, if a counterparty goes bankrupt, the value of the 
obligation that counterparty has to the bank vanishes while the 
bank itself remains liable for any funds due to the counterparty. 


e Marking-to-market/margining: This entails having an agree- 
ment in place among counterparties to periodically revalue 
a position and transfer any net value change between the 
counterparties so that the net exposure is minimized. This 
requires relatively sophisticated systems and has historically 
been seen in the market for exchange-traded derivatives. 


e Requiring collateral be posted: Collateral can offset credit 
losses in the event of default. Note that there are instances 
when the circumstances precipitating the default could nega- 
tively impact the value of the collateral. For example, with an 
oil company offering barrels of crude as collateral, the prob- 
ability of the company defaulting increases as the price of oil 
falls (this is known as wrong way risk). 


e Termination/Put option: At inception, the counterpar- 
ties agree to a set of trigger events that, if realized, would 
require the unwinding of the position using a pre-determined 
methodology (often the mid-market valuation). Such trig- 
gers could be downgrades, metrics based on balance sheet/ 


2 A financial guarantee of a monoline insurer depended upon the insurer 
having a AAA credit rating. This is because insuring a bond so that it 

can receive a AAA credit rating could not be done by a monoline insurer 
that had a credit rating below AAA. Just before the global financial 
crisis, monoline insurers had insured a substantial number of ABS 

and private issued MBS. As defaults in these two structured products 
occurred, monoline insurers became responsible for making payments 
to fulfill their guarantees and were subsequently downgraded. 
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BOX 4.1 SYNDICATION AND THE SECONDARY MARKET 


For larger loan transactions, it is typical for banks to syndi- 
cate loans to disperse the credit risk incurred through large 
transactions. Banks can also sell off the loans they originate 
(or otherwise own) in the secondary market. 


Syndication comes into play for very large transactions. In 
these cases, the lead bank originates the transaction and 
makes arrangements to distribute the deal among a larger 
group of investors. For these efforts, the bank earns a per- 
centage fee. Typically, the lead bank will hold about 20% of 
the loan for its own book. 


There are two basic types of syndicate arrangements: firm 
commitment and best efforts. With firm commitments, the 


income statement items, and so on. In the case of a put 
option, the lender has the right to force early termination at a 
pre-determined price. 


e Reassignment of a credit exposure to another party in the 
event of some predefined trigger (e.g., a ratings downgrade). 


The strategies discussed above are effective but require specific 
agreements between the counterparties to enact. For this and 
other reasons, they may not easily fit the needs/goals of the coun- 
terparties. Critically, they are limited in that they do not isolate 
credit risk from the underlying positions for redistribution to a 
broader class of investors. Nor do they effectively “slice and dice” 
risk to enable the fine tuning of positions or credit portfolios. 


Credit derivatives (e.g., CDSs) were formulated precisely to enable 
this fine tuning. Credit derivatives are off-balance sheet instruments 
that facilitate the transfer of credit risk? between two counterpar- 
ties (the beneficiary who sells the risk and the guarantor who buys 
the risk) without having to sell the given position. Credit derivatives 
permit the isolation of credit risk (e.g., in a loan or a bond) and 
transfer that risk without incurring any funding or client manage- 
ment issues. They are to credit risk what interest rate and foreign 
exchange derivatives are to market risk (because these innovations 
isolated market risk from funding and liquidity risk concerns). 


Credit derivatives come with their own set of challenges. Each 
of the counterparties is obliged to understand the full nature of 
the risk transfer: how much risk is transferred, the nature of that 
risk, how the trigger events are defined, any periodic payment 
obligations, the obligations and rights for each counterparty in 
trigger scenarios, and so on. Counterparties in a credit deriva- 
tive contract also need to understand when the contract is 
enforceable and when (if ever) it is not. There are also issues of 


3 Based upon some reference asset. 


banks guarantee the obligor will receive a set dollar amount 
and any failure of the bank to recruit additional investors will 
result in the bank taking a larger portion of the loan onto its 
own books. For best efforts, the amount raised is based upon 
how well the bank does in generating interest in the deal and 
there is no guarantee that the target amount will be raised. 


Syndicated loans form the backbone of the secondary mar- 
ket for bank loans, as the originating bank is obligated to 
ensure the ability of investors to trade the loan after initial 
distribution. As the secondary market (as well as the market 
for credit derivatives) has grown, pricing has become more 
transparent and liquidity has increased. 


systemic concentration risk—even prior to the 2007-2009 finan- 
cial crisis, regulators were concerned about the relatively small 
number of liquidity providers in the credit derivatives markets. 
They feared this nascent market could face disruption if any of 
the major participants were to experience distress (in isolation 
or in concert). It is interesting to note, however, that the single- 
name and index CDS markets operated relatively smoothly at 
the height of the credit crisis under the leadership of the Inter- 
national Swaps and Derivatives Association (ISDA). 


Risk transfer and securitization enables institutions to effectively 
tailor pools of credit risk exposures by facilitating the sale and 
repackaging of risk. Securitization is also a key source for fund- 
ing consumer and corporate lending. According to the Inter- 
national Monetary Fund (IMF), the issuance of securitized loans 
soared from nearly nothing in the early 1990s to almost USD 5 
trillion in 2006. Trading volumes for many credit derivatives and 
securitized products collapsed following the subprime crisis. 
Only credit card receivables, auto loans, and lease-backed secu- 
rities remained relatively unaffected. 


With the huge expansion in the issuance of corporate bonds 
since 2012, there has been a revival in the market for securitized 
corporate loans. This is because their CLO structure is transpar- 
ent for investors and the collateral is reasonably easy to value. 


The Securities and Exchange Commission, in conjunction with 
U.S. federal banking regulators, finalized Section 15G of the 
Securities and Exchange Act in 2014. This imposed risk retention 
provisions on asset-backed securities, including CLOs. Specifi- 
cally, the rules require securitizers to retain, without recourse to 
risk transfer or mitigation, at least 5% of the credit risk.4 


4 Pub. L. No.111-203, 124 Stat. 1376(2010). Section 941 of the Dodd- 
Frank Act. For further information, see: https://www.sec.gov/rules/ 
final/2014/34-73407.pdf. 
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Moreover, securitizers are not permitted to hedge this risk. 
These provisions were designed to align securitizers’ interests 
with those of investors, requiring the former to “have skin in 


the game.”> 


When properly executed in a robust, liquid, and transparent 
market, credit derivatives contribute to the process of credit 
price discovery (i.e., they clarify and quantify the market value 
for a given type of credit risk). In addition to quantifying the 
default risk incurred by many large corporations, CDS prices also 
offer a means to monitor default risks in real time (as opposed 
to credit rating assessments, which are periodic). The hope is 
that improvements in price discovery will eventually lead to 
enhanced liquidity, along with a more efficient market pricing 
of credit spreads for the full spectrum of instruments with credit 
risk exposure. 


Historically, it has been true that corporate bond markets per- 
form price discovery. However, bonds blend interest rate and 
credit risk (and sometimes liquidity risk) together. Moreover, the 
corporate bond market is only useful for understanding the 
credit risk for those companies that issue bonds—which is gen- 
erally limited to the largest public companies.® On the other 
hand, credit derivatives can potentially help in pricing the credit 
risk embedded in privately traded high-yield loans and loan 
portfolios. 


Credit risk in a mature credit market goes beyond default risk 
to include credit spread risk. The credit spread is the difference 
in the yield on instruments subject to credit risk (e.g., bonds, 
derivatives, and loans) and comparable maturity Treasury bonds. 
When the credit spread widens, this affects the valuation of all 
associated instruments subject to credit risk. Accordingly, the 
traditional “credit risk” evolves to the “market risk of credit risk” 
(for certain liquid assets). 


4.3 THE MECHANICS OF 
SECURITIZATION 


Securitization involves the repackaging of loans and other assets 
into new securities that then can be sold in the securities mar- 
kets. The collateral for the new securities is the pool of loans 
and other assets. The performance of the new securities will 
depend upon the performance of the collateral. 


5 The U.S. Court of Appeals for the District of Columbia Circuit, 17-5004, 
February 9, 2018 — Loan Syndication and Trading Association (LSTA) vs. 
the Securities Exchange Commission and Board of Governors of the 
Federal Reserve System, 1:16-cv-00652. 


é Corporate bonds that offer enough liquidity and market activity to 
facilitate credit risk analysis generally are from large corporations. 


Securitization provides a funding vehicle for financial institutions 
and non-financial corporations. This is important because today 
banks throughout the world do not have sufficient capital by 
themselves to satisfy the needs of businesses, consumers, 

and governments. Moreover, securitization offers financial 
institutions and non-financial corporations a tool for risk 
management. 


Banks, for example, have used securitization to remove mort- 
gage loans, corporate bank loans, credit card receivables, and 
automobile loans from their balance sheets. The securitization 
of these assets resulted in the creation of mortgage-backed 
securities, collateralized loan obligations, credit card-backed 
securities, and automobile-backed securities, respectively. The 
latter two securitized products are referred to as asset-backed 
securities (ABS). 


Prior to securitization, entities that originated loans simply 

held them in their portfolio as an investment. This is referred 

to as the traditional “buy-and-hold” strategy. Because an 

entity would originate a loan and then hold it in its portfolio, 
the traditional buy-and-hold strategy is also referred to as the 
“originate-and-hold” strategy. The key risks that the originating 
entity faced by following this strategy were credit risk, price risk, 
and liquidity risk. 


Securitization, instead, involves the originating entity 
assembling a pool of similar loans and using that pool as the 
collateral for the new securities. This strategy is referred to as 
“originate-to-distribute” strategy. It reduces the originating 
entity's risks compared to the originate-to-hold strategy. First, 
the originating entity does not own the collateral, so it does 
not face credit risk. Second, there is no price risk faced by the 
originating entity because it does not own the individual assets 
included in the pool. Finally, by using illiquid loans or receiv- 
ables as collateral for a securitization, the originating entity 
no longer holds an illiquid asset and therefore does not face 
liquidity risk. 


The key element in a securitization is a legal entity that is 
established by the originating entity called a special purpose 
vehicle (SPV). The SPV purchases the pool of loans from 

the originating entity (the “sponsor”) and takes ownership 
of those loans. The SPV obtains the funds to purchase the 
pool of loans from the originating entity by selling the new 
securities. The holders of these new securities receive inter- 
est and principal payments based on rules for the distribution 
of interest and principal and how defaults will be treated. 
Typically, the SPV issues senior bonds, junior bonds, and 
equity. These are referred to as “classes” or “tranches.” The 
senior bond class has the highest level of protection against 
credit risk and typically has a credit rating of AAA. There can 
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be more than one class of junior bonds with varying credit 
ratings below AAA. The equity class, also referred to as the 


summarizes the major milestones in the development of the 
securitization markets (as depicted by the International 
residual class, only receives proceeds after all of the debt 
classes receive payments and therefore is exposed to the 
greatest credit risk. 


Monetary Fund). 


4.4 FROM BUY-AND-HOLD TO 
ORIGINATE-TO-DISTRIBUTE 


It is important to emphasize that it is not just banks that have 
used securitization. Manufacturing companies, for example, 
have used securitization as a risk management tool and a mech- 
anism for raising funds. Here are four examples of non-bank 


Now that we understand what securitization is, let's take a 
closer long at the buy-and-hold strategy, the OTD strategy, and 


sponsors of securitizations: 


General Motors has created GM Financial (a captive finance 
company) to provide automobile loans (as well as leases) to 
its customers. GM Financial and its affiliates have created 
SPVs to buy the loans (and leases) originated by GM Financial 
and its affiliates. The SPVs include AmeriCredit Automobile 
Receivables Trust (AMCAR), GM Financial Automobile Leas- 
ing Trust (GMALT), and GM Financial Consumer Automobile 
Receivables Trust (GMCAR). 


Harley-Davidson created Harley-Davidson Financial 
Services (a captive finance company) to provide loans 

to its customers who want to purchase the company's 
motorcycles. Its SPV issued its first securitization in 2016, a 
USD 301.9 million deal, and in 2019 came to market with 
a USD 552.16 million deal. 


SoFi, a personal finance company, uses securitization exten- 
sively. In April 2018, SoFi (through its SPV) issued two stu- 
dent loan-backed securitizations (USD 960 million in SOFI-A 
Notes and USD 869 million in SOFI-B notes) and a consumer 
loan securitization (USD 774 million in SCLP 2018-1 Notes), 
for a total of USD 2.6 billion in securitizations.’ 

Sprint Corporation has a wide range of wireless and wireline 
communications services for consumers, businesses, and gov- 
ernments. It has used securitizations for its wireless accounts 


their roles in the global financial crisis. Starting in the 1980s, 
certain banking activities shifted from the traditional buy-and- 
hold strategy to the new OTD business model. Credit risk that 
would have once been retained by banks on their balance 
sheets was sold, along with the associated cash flows, to 
investors in the form of ABSs and similar investment products. 
In part, the banking industry's enthusiasm for the OTD model 
was driven by the Basel capital adequacy requirements. 
Specifically, banks sought to optimize their use of capital by 
moving capital-consuming loans off their books. Accounting 
and regulatory standards also tended to encourage banks to 
focus on generating the upfront commissions associated with 
the securitization process. 


The shift toward the OTD business model seemed to offer the 
financial services industry many benefits.” 


e Originators benefited from greater capital efficiency and 
enhanced funding opportunities, as well as lower earnings 
volatility (at least in the short term), because the OTD model 
seemingly dispersed credit risk and interest rate risk across 
many market players. 


e Investors benefited from a wider array of investments, allow- 
ing them to diversify their portfolios and better synchronize 
their risk/return profiles with their goals and preferences. 


¢ Borrowers benefited from the expansion of available credit 


receivable. and product options, as well as from the lower borrowing 


The trend toward securitization began in 1968 with the birth costs resulting from these benefits. 


of the Government National Mortgage Association (GNMA, 
also known as Ginnie Mae).® Consumer ABSs in the United 
States and residential mortgage-backed securities (RMBS) in 
the U.K. emerged in the 1980s. The 1990s saw the develop- 
ment of commercial mortgage-backed securities (CMBS) in 
the United States. Between 2000 and 2007, there was a surge 
in the issuance of very complex, risky, and opaque CDOs in 
the U.S. private label securitization market. Figure 4.1 


However, benefits of the OTD model progressively eroded 

as risks accumulated in the years leading up to the financial 
crisis. And while there is widespread disagreement regarding 
the OTD model's relative contribution to the crisis, there is a 
consensus that it created moral hazard by lowering the incen- 
tives for lenders to maintain high loan underwriting standards 
and monitor the creditworthiness of borrowers. There is also 
agreement that too few safeguards were in place to offset this 
moral hazard. 


7 https://www.sofi.com/press/sofi-issues-record-2-6-billion-abs-notes- 


first-quarter=2016/. ? See Report of the Financial Stability Forum on Enhancing Market and 


Institutional Resilience (Rep.). (2008, April 7). https://www.fsb.org/wp- 
content/uploads/r_0804.pdf 


8 GNMA is the primary mechanism for securitizing government-insured 
and government-guaranteed mortgage loans. 
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Source: Republished with permission of the International Monetary Fund, from Securitization: Lessons Learned and the Road Ahead, Vol. 13 (2013). 


Nevertheless, leading up to the financial crisis, banks deviated 
from, rather than followed, the OTD business model. Instead of 
acting solely as intermediaries (i.e., transferring risk from mortgage 
lenders to capital market investors), many banks took on the role of 
the investor."' In the mortgage market, for example, relatively little 
credit risk was transferred. Instead, many banks retained or even 
acquired a considerable amount of securitized mortgage credit risk. 


Risks that should have been broadly dispersed under the OTD 
model were instead concentrated in entities primarily estab- 
lished to skirt mandatory capital requirements. Banks and other 
financial institutions achieved this by establishing highly levered 


10 M. Segoviano, B. Jones, P. Lindner, and J. Blankenheim (2013, 
November). Securitization: Lessons Learned and the Road Ahead(Rep.). 
Retrieved https://www.imf.org/external/pubs/ft/wp/2013/wp13255.pdf 


n According to the Financial Times (July 1, 2008), 50% of AA-rated 
asset backed securities were held by banks, ABCP conduits and SIVs. As 
much as 30% was simply parceled out by banks to each other, while 20% 
sat in conduits and SIVs. 


off-balance sheet ABCP conduits and structured investment 
vehicles (SIVs), an investment vehicle described in Table 4.1 


Banks misjudged the risks (e.g., reputation risk) contained in the 
commitments made to SIV investors. They also (falsely) assumed 
that there would be a substantial ongoing access to liquidity 
funding and that markets in these assets would be sufficiently 
liquid to support securitization. 


Firms that were selling their credit exposures found themselves 
retaining a growing pipeline of credit risk. Furthermore, they did 
not adequately measure and manage the risks that would mate- 
rialize if assets could not be sold. Some levered SIVs suffered 
from significant liquidity and maturity mismatches, making them 
vulnerable to a classic bank run. 


These problems shed light on the need to strengthen the foun- 
dations of the OTD model. The factors that exacerbated these 
weaknesses included bank leverage, faulty origination practices 
(i.e., poor underwriting standards), and the fact that many finan- 
cial firms chose to retain (rather than fully transfer) the credit 
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risk embedded in the securities they originated. 
Among the issues that needed to be addressed 
were the following. '2 


e There were misaligned incentives along the 
securitization chain, driven by the pursuit of 
short-term profits. This was the case among 
many originators, organizers, managers, and 
distributors. Investor oversight was weakened 
by complacency, as market growth beck- 
oned many to “let the good times roll.” The 
complexity of these instruments and a lack of 
understanding among investors also served as 
barriers to market discipline and oversight. 


e The risks embedded in securitized products were 
not transparent. Investors had difficulty assess- 
ing the quality of the underlying assets and the 
potential correlations between them. 


e There was poor securitization risk management, 
particularly regarding the identification, assess- 
ment, handling and stress testing of market, 
liquidity, concentration, and pipeline risks. 


e There was an overreliance on the accuracy and transparency 
of credit ratings. This was problematic because rating agen- 
cies failed to adequately review the granular data underlying 
securitized transactions and underestimated the risks of sub- 
prime CDO structuring. 13 


Figure 4.2 summarizes this self-reinforcing securitization chain 
that amplified systemic risk during the crisis by allowing massive 
leverage and risk concentration in the financial sector. 


While operating at a fraction of its pre-crisis size, the securitiza- 
tion market is on the rebound. MBSs, particularly those issued 
by U.S. government agencies, continue to dominate the land- 
scape in terms of the volume of outstanding securities, new 
issuances, and trading. The markets for other asset-backed 
securities, such as those related to consumer lending, have held 
their ground since the crisis and have grown in recent years. 


Table 4.2 shows the global structured finance volumes from 
2015 to 2018 and the projected 2019 forecast by Standard & 
Poor's for the U.S., Canada, Europe, and Asia-Pacific. As can be 


12 E, H. Neave, Modern Financial Systems: Theory and Application, 
Hoboken, NJ: John Wiley & Sons, 2010. 


13 See M. Crouhy, R. Jarrow, and S. Turnbull, “The Subprime Credit 
Crisis of 2007," Journal of Derivatives, Fall 2008, pp. 84-86. 


As monetary policy turned highly 
accommodative, the search for yield 
intensified; banks also retained 
contingent exposure to structured 
investment vehicles with high 


1. Loan Origination 
Compensation was tied to high loan 
volumes and high commission 
mortgages, not subsequent loan 
performance or suitability. 


2. Securitization 


High fee-earning, complex, and 
Opaque product issuance soared, 
requiring advanced financial 
engineering and large quantities of 
underlying loans. 


4. Investors 


rollover risk. 


3. Credit Rating Agencies 


Some securitized products were 
awarded higher ratings than 
fundamentals suggested, and 
correlations were underestimated; 
“Ratings shopping” may have resulted 
in upwardly biased ratings. 


GAEE The self-reinforcing securitization chain. 


Source: Republished with permission of the International Monetary Fund, from 
Securitization: Lessons Learned and the Road Ahead, Vol. 13 (2013). 


seen, the projected global structured finance volume for 2019 
was USD 1 trillion. 


As of 2018, securitization issuance is near the level observed in 
2003. 


The dust has not entirely settled on the regulatory environment. 
Some measures are still being drafted, some are in various 
stages of implementation, and others are facing the possibility 
of repeal. This regulatory uncertainty serves as an obstacle to 
securitization’s comeback. It remains to be seen if, once imple- 
mented, these new measures will be enough to prevent the 
formation of a similar constellation of incentives, actors, and 
circumstances that plagued the securitization process before 
the crisis. 


While it is important to be cognizant of the potential risks posed 
by credit derivatives, the case favoring a thriving market in these 
financial instruments is compelling. The paradigm of active 
credit management has not been replaced by a new paradigm. 
The demand for instruments that efficiently transfer credit risk 
and improve the effectiveness of risk management continues to 
prevail, and the OTD model of banking based on the transfer 
and dispersion of credit risk continues to carry the promise of 
furthering systemic financial stability. 
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IEJGEFA Global Structured Finance Volumes 


2015 2016 2017 2018 2019 forecast 
U.S. (bil. $) 
ABS 183 191(i) 229(i) 239(i) 245(i) 
CMBS 101 76 93 77 80 
CLO 98 72 118 129 110(ii) 
RMBS-related 54 34 70 86 100 
Total U.S. new issue 436 373 510 531 535 
U.S. CLO reset/refi 10 39 167 155 110 
Canada (bil. C$) 15 18 20 24 21 
Europe (bil. €) 77 81 82 106 95 
Asia-Pacific (bil. $) 
China 97 116 220 292 310 
Japan 38 53 48 55 58 
Australia 24 17 36 23 26 
Total Asia-Pacific new issue 159 186 304 370 394 
Latin America (bil. $) 11 12 17 9 18 
APPROXIMATE GLOBAL NEW ISSUE TOTAL (bil. $) 700 670 930 1,040 1,050 
(i)U.S. auto loan ABS volume includes the U.S. dollar-denominated cross-border Canadian transactions. (ii)U.S. CLO resets/refis excluded. 
ABS—Asset-backed securities. CMBS—Commercial mortgage-backed securities. CLO—Collateralized loan obligation. RMBS—Residential 


mortgage-backed securities. NPL—Nonperforming loan. 


Source: Global Structured Finance 2019 Securitization Energized With $1 T In Volume © 2019, reproduced with permission of S&P Global Market 
Intelligence LLC and Standard & Poor's Financial Services LLC. Standard & Poor's Financial Services LLC, provides independent financial information, 
analytical services, and credit ratings to the world’s financial markets. For more information on S&P Global Ratings, visit http://www.standardandpoors 
.com. S&P Global Ratings, 55 Water Street, New York, NY 10041, +1-877-772-5436, option 3, option 3”. Reproduction of any information, data or 
material, including ratings (“Content”) in any form is prohibited except with the prior written permission of the relevant party. Such party, its affiliates 
and suppliers (“Content Providers”) do not guarantee the accuracy, adequacy, completeness, timeliness or availability of any Content and are not 
responsible for any errors or omissions (negligent or otherwise), regardless of the cause, or for the results obtained from the use of such Content. In 
no event shall Content Providers be liable for any damages, costs, expenses, legal fees, or losses (including lost income or lost profit and opportunity 
costs) in connection with any use of the Content. A reference to a particular investment or security, a rating or any observation concerning an invest- 
ment that is part of the Content is not a recommendation to buy, sell or hold such investment or security, does not address the suitability of an 
investment or security and should not be relied on as investment advice. Credit ratings are statements of opinions and are not statements of fact. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


True/False Questions 


4.1 


4.2 


4.3 


The securitization mechanism underlying the subprime 
CDO market played a central role in bringing about the 
2007-2009 global financial crisis (GFC). 

A. True 

B. False 


In a securitization, the bond classes are issued by the loan 
originator and guaranteed by the special purpose vehicle. 
A. True 

B. False 

Credit default swaps allow the transfer of credit risk with- 
out impacting funding or relationship management. 


A. True 
B. False 


Multiple Choice Questions 


4.6 


4.7 


Which of the following cannot be used to transfer credit 
risk from a bank's balance sheet? 

A. Credit derivatives 

B. Credit default swaps 

C. Securitization 

D. US government bond futures 


Credit default swaps helped transfer credit risk in the loan 
book, but also generated new__of a systemic nature. 

A. credit spread risk 

B. counterparty credit risk 

C. interest rate risk 

D. None of the above 


Short Concept Questions 


4.9 
4.10 


Describe the securitization process. 


How do the SEC's risk retention provisions force banks to 
have “skin in the game”? 


4.4 The originate-to-distribute (OTD) business model reduces 


4.5 


4.8 


the incentive for loan originators to monitor the creditwor- 
thiness of borrowers. 


A. True 
B. False 


In a typical securitization, the sources of funds are mainly 
several classes of debt with different ratings and a rela- 
tively large equity tranche. 


A. True 
B. False 


Credit risk includes 

A. the risk of default. 

B. the risk of upgrades and downgrades. 
C. credit spread risk. 

D. All the above 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


4.1 


4.2 


4.3 


4.4 


45 


False 


The crisis may have had more to do with failings of the 
pre-crisis securitization process than with the underlying 
principle of credit risk transfer. 


False 


In a securitization, the bond classes are issued by the 
special purpose vehicle and not the loan originator. 
Moreover, the SPV does not make any guarantees. 


True 


CDSs do not require funding per se, nor do they require 
any participation from the reference creditor. 


True 


With an OTD model there is typically little incentive for 
lenders to carefully underwrite and monitor the credits in 
the loan pool. Some regulations, such as the SEC's risk- 
retention provisions, have addressed this by requiring 
securitizers to retain some of the risk. However, the OTD 
model still reduces the incentive to monitor credit risk 
compared to the buy-and-hold model. 


False 


Equity tranches typically comprise less than 10% of total 
funding. 


4.6 


4.7 


4.8 


4.9 
4.10 


D. U.S. government bond futures 


Government bond futures offer a mechanism to transfer 
interest rate risk, not credit risk. 

B. Counterparty credit risk 

Even prior to the 2007-2009 financial crisis, regulators 
were concerned about the relatively small number of 
liquidity providers in the credit derivatives markets. They 
feared this nascent market could face systemic disruption 
if any of the major participants were to experience dis- 
tress (in isolation or in concert). 


D. All the above 

All of these are derived from the creditworthiness (or the 
perceived creditworthiness) of the borrower 

Answer: See Section 4.3 


The rules require securitizers to retain, without recourse 
to risk transfer or mitigation, at least 5% of the credit 
risk. 
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Modern Portfolio 
Theory and Capital 


Asset Pricing 
Model 


E Learning Objectives 


After completing this reading you should be able to: 


® Explain Modern Portfolio Theory and interpret the 
Markowitz efficient frontier. 


® Understand the derivation and components of the CAPM. 


© Describe the assumptions underlying the CAPM. 


® Interpret and compare the capital market line and the 
security market line. 


® Apply the CAPM in calculating the expected return on 
an asset. 


® Interpret beta and calculate the beta of a single asset 
or portfolio. 


® Calculate, compare, and interpret the following 
performance measures: the Sharpe performance index, 


the Treynor performance index, the Jensen performance 


index, the tracking error, information ratio, and 
Sortino ratio. 
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Anticipating changes in the financial markets is an important 
component of risk management. Because future market move- 
ments are inherently uncertain, one must rely on models to mea- 
sure and quantify risks. 


This chapter reviews two key theoretical models for market risk: 
modern portfolio theory and the capital asset pricing model. It 
also demonstrates how they are related (as well as their place in 
risk management). 


Market risk has attracted a great deal of academic research 
since the 1950s due to the abundance of available data on 

traded securities. As a result, market risk models have been 
empirically tested in various global markets. 


These models have several simplifying assumptions that allow 
them to deliver insights into the key factors and their interre- 
lationships, without getting bogged down by excess complex- 
ity. In this sense, a “good” financial model is one that helps 

to separate the major explanatory variables from the noisy 
background." 


The stance taken herein aligns with Milton Friedman's edict that 
predictive power is the sole criterion to gauge the success of a 
model. To that end, even a very simple model can be “success- 
ful” if it provides reasonably accurate forecasts and adds value 
to the decision-making process. Despite the criticism directed at 
risk management models following the 2007-2009 financial 
crisis—which saw models fail due to errors in selection, imple- 
mentation, and over-interpretation—models and their underly- 
ing theories are still essential to modern risk management. What 
the crisis taught is that, while models are important tools, what 
is even more important is how they are implemented. 


5.1 MODERN PORTFOLIO THEORY 


Harry Markowitz's Ph.D. dissertation in 1952 put forth the 
foundation of modern risk analysis.? The theory developed by 
Markowitz, referred to as Modern Portfolio Theory (MPT), 


' The Fed and OCC refer to a model as a “quantitative method system 
or approach that applies statistic, economic, financial or mathematical 
theories, techniques and assumptions to process input data into quanti- 
tative estimates.” 


See United States, Board of Governors of the Federal Reserve System, 
Office of the Comptroller of the Currency. (2011, April 4). SR 11-7: 
Guidance on Model Risk Management. Retrieved from https://www 
.federalreserve.gov/supervisionreg/srletters/sr1107.htm 


2 M. Friedman, “The Methodology of Positive Economics,” in Essays in 
Positive Economics (Chicago: University of Chicago Press, 1953). 


3 H. M. Markowitz, “Portfolio Selection,” Journal of Finance 7, 1952, 
pp. 77-91. Markowitz would eventually win the Nobel Prize for Econom- 
ics based upon this work. 


asserts how investors should construct portfolios (or equiva- 
lently, how investors should select investments to include in a 
portfolio) based on certain assumptions about investor behavior 
and the properties of capital markets. 


Markowitz demonstrated that a “rational investor” (i.e., an 
investor who is risk averse and seeks to maximize utility) 
should evaluate potential portfolio allocations based upon the 
associated means and variances of the return distributions. 
Given two investments with the same expected return (as 
measured by the mean of the returns), a risk-averse investor 
will select the one with the lowest risk (as measured by the 
variance). Markowitz's theory also makes the following 
assumptions: 


e Capital markets are perfect, meaning that: 


e There are no taxes or transaction costs; 
e All traders have costless access to all available informa- 
tion; and 


e Perfect competition exists among all market participants 
e Returns are normally distributed. 


The assumption of normally distributed returns allows investors’ 
utility choices (as well as investment portfolios) to be stated sim- 
ply in terms of the mean (i.e., performance) and variance (i.e., 
risk). With all else being equal, investors prefer a higher mean 
return and a lower variance. 


Investors seek to reduce the variance of their portfolio returns 
by diversifying their investments. Diversification is accom- 
plished by investing in a portfolio of assets whose constituents 
have values that do not move in lockstep with one another 
(i.e., they are not perfectly correlated). Specifically, diversifica- 
tion allows investors to offset specific risk exposures associated 
with individual assets. 


According to Markowitz, the level of investment in a particular 
financial asset should be based upon that asset's contribution to 
the distribution of the portfolio’s overall portfolio return (as 
measured by the mean and variance). An asset's performance is 
not judged in isolation, but rather in relationship to the perfor- 
mance of the other portfolio assets. In other words, what mat- 
ters is the covariability® of the asset's return with respect to the 
return of the overall portfolio. Portfolio diversification enables 


4 Markowitz made specific reference to the Von Neumann-Morgenstern 
utility theorem, which postulates that under certain behavioral assump- 
tions, an agent presented with a set of risky outcomes will seek to maxi- 
mize the expected value of a given utility function defined across the 
range of potential outcomes. 


5 The overall variance is equal to the weighted sum (using the portfolio 
weights) of the covariances. 
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(at least in theory) the zero-cost reduction of risk exposures to 
individual assets. 


Logically, a reduction in risk should result in lower expected 
returns. If the asset weights are appropriately selected, 
however, the resulting diversification can enable the opti- 
mization (i.e., maximization) of returns for any given level of 
risk. Plotting the optimal returns for each level of risk results in 
the efficient frontier, which is represented by the solid curve in 
Figure 5.1. Each point on this curve represents the portfolio of 
assets that is expected to offer the highest return for the given 
level of risk. 


In Figure 5.1, portfolio P offers the best expected return for any 
portfolio with the same level of risk. Meanwhile, portfolio K can 
be categorized as being suboptimal because there are portfolios 
that will offer better expected returns for the same level of risk 
(i.e., all the portfolios that lie vertically between portfolio K and 
the efficient frontier). Along the efficient frontier, the only way 
to achieve a higher expected rate of return is by increasing the 
riskiness of the portfolio as measured by the standard deviation. 
Conversely, it is only by reducing the expected return that a less 
risky portfolio can be achieved. Note that the dotted line in the 
plot represents the most inefficient portfolios (e.g., portfolio L) 
where the investor achieves the lowest expected return for each 
level of risk. 


A critical input to the mean-variance model developed by 
Markowitz is the estimated correlation between assets. One 
concern following the global financial crisis was the increase in 
correlations between returns of major asset classes, even during 
normal market conditions. A study by Craig Israelsen looked at 
how the 12-month rolling correlation of 11 major asset classes 
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| Figure 5.1] The efficient frontier of Markowitz. 


with large U.S. stocks changed in the two years before and after 
October 2008.° 


He reported that prior to October 2008, the correlations 
between the large cap stocks and the other 11 major asset 
classes were generally lower than after that date. For example, 
the correlation between U.S. large cap stocks and U.S. bonds 
increased from 0.21 in October 2006 to 0.46 in October 2008. 
The instability of the correlation between these asset classes can 
be seen by looking at the correlation two years later in October 
2010: the correlation decreased to —0.38. 


For the equity asset classes, correlations were high prior to 
October 2008 and went even higher, as seen in Table 5.1.7 


One commonly cited reason for this increase is the huge 
increase in basket trading via index-tracking mutual funds 
and exchange-traded funds (ETFs). Through these vehicles, 
large baskets of assets composed of benchmark indices 
are traded simultaneously and independently of analyst 
recommendations concerning the relative performance of 
these assets. 


Quantitative asset management techniques have been pro- 
posed to adapt to this new environment. These techniques 
consist of identifying risk regimes and optimizing portfolio 
allocations for each specific risk regime. For example, there 
may be periods in which market participants are worried and 
uncertain about the future. Markets adjust quickly to these situa- 
tions, resulting in higher stock market volatility and wider credit 
spreads in the bond market. These periods tend to be followed 
by quieter periods with lower stock market volatility and lower 
bond market credit spreads. An asset manager anticipating a 
high-risk regime can increase a portfolio's allocation toward 


Asset class October | October | October 
2006 2008 2010 
Mid-cap U.S stocks 0.84 | 0.98 0.96 
Small-cap U.S. stocks 0.78 | 0.96 0.91 
Non-U.S. stocks 0.63 | 0.92 0.90 
Emerging market stocks 0.77 | 0.85 0.92 


6 C.L. Israelsen, “What a study of correlations reveals 
about diversification,” Financial Planning, January 5, 2017. 
Available at https://www.financial-planning.com/news/ 
what-a-study-of-correlations-reveals-about-diversification\ 


7 Table created from data reported in the Israelsen study. 
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BOX 5.1 SENSITIVITY OF MEAN-VARIANCE PORTFOLIOS 


Several studies have investigated how errors in estimating 
the mean, variance, and covariance of stock returns affect 
the composition of optimal portfolios. What these studies 
find is that even small deviations in the input values of mean- 
variance analysis on the resulting portfolios produce notably 
large effects.* In other words, mean-variance efficient port- 
folios are highly sensitive to the inputs. Furthermore, among 
the inputs of the mean-variance model, errors in estimating) 
expected returns are observed to cause the most concern. 
Specifically, errors in estimating expected returns are found 


low-risk assets, such as money market funds. Conversely, a 
manager anticipating a low-risk regime can switch to a more 
aggressive asset allocation favoring equities, emerging markets, 
commodities, high-yield bonds, and so on. Each asset allocation 
is optimized to generate the highest return for the regime with 
which it is associated. These approaches combine risk manage- 
ment techniques with optimal portfolio selection to control the 
volatility of investment portfolio returns. 


Although MPT was an important breakthrough in the theory 
of portfolio selection, there are major concerns about the 
unwarranted assumptions underlying the theory and the 
issues associated with applying the theory in practice.® 


For example, the assumption that returns are normally distrib- 
uted is a major concern. The preponderance of empirical evi- 
dence across different asset classes and countries fails to 
support the assumption that asset returns are normally distrib- 
uted. These studies show that return distributions have fat tails 
(i.e., there are more observations in the tails of the distribution 
than a normal distribution) and are asymmetric. Another 
assumption that is challenged is that investors ignore skewness 
in selecting assets by only focusing only on the mean and the 
variance of returns. By ignoring the skewness of a return distri- 
bution, the estimated mean and variance of returns will be incor- 
rect. Studies by Campbell Harvey? and Bekaert and Harvey’? 
found that skewness of return distributions is important in asset 
pricing. 


8 For a more detailed discussion, see P. K. Kolm, R. Tütüncu, and 

F.J. Fabozzi, “60 Years of Portfolio Optimization: Practical Challenges 
and Current Trends.” European Journal of Operational Research, 234 
(April 2014), pp. 356-371. 


ICR. Harvey, “The Drivers of Expected Returns in International 
Markets.” (July 25, 2000). Available at SSRN: http://ssrn.com/ 
abstract=795385 


10 G, Bekaert and C.R. Harvey, “Research in Emerging Markets Finance: 
Looking to the Future,” (September 11, 2002). Available at SSRN: http:// 
ssrn.com/abstract=795364 


to be at least 10 times more important than errors in estimat- 
ing variances and covariances. 


a The effect of a small increase in a single asset on portfolio weights 
is studied by M. J. Best and R. R. Grauer, “On the Sensitivity of 
Mean-Variance-Efficient Portfolios to Changes in Asset Means: Some 
Analytical and Computational Results,” Review of Financial Studies 4, 
2 (1991), pp. 315-342. 


by, K. Chopra and W. T. Ziemba, “The Effect of Errors in Means, Vari- 
ances, and Covariances on Optimal Portfolio Choice,” Journal of Port- 
folio Management 19, 2 (1993), pp. 6-11. 


The major implementation issue comes when estimating the 
parameters required to apply the model (i.e., the mean and the 
variance of returns, along with correlations between each asset 
in the portfolio). These parameters are typically estimated using 
historical data over a certain period of time. However, the the- 
ory does not identify which period should be used to estimate 
these parameters despite the fact that the resulting allocation 
can differ greatly depending on which historical data are used. 
(See Box 5.1). There are methodologies that have been used to 
deal with the problem of the uncertainty about these parame- 
ters. One popular method is to use a technique called robust 
portfolio optimization, which incorporates estimation error 
directly into the portfolio optimization process." 


5.2 THE CAPITAL ASSET 
PRICING MODEL 


Economists William Sharpe, John Lintner, and Jan Mossin 
furthered MPT theory in the 1960s by incorporating overall capital 
market equilibrium. 1? The derived equilibrium model, popularly 
referred to as the capital asset pricing model (CAPM), shows the 
relationship between the risk and expected return of a risky asset. 


Specifically, Sharpe, Lintner, and Mossin decomposed the total 
risk of a risky asset (as measured by the standard deviation of 
returns) into two components. The first component is called 


11 W.C. Kim, J.H. Kim, and FJ. Fabozzi Robust Equity Portfolio Manage- 
ment (John Wiley & Sons, 2016). 


12 W, F. Sharpe, “Capital Asset Prices: A Theory of Market Equilibrium 
under Conditions of Risk,” Journal of Finance 19, 1964, pp. 425-442. 

J. Lintner, “Security Prices, Risk and Maximal Gains from Diversification,” 
Journal of Finance 20, 1965, pp. 587-615, and J. Mossin, “Equilibrium in 
a Capital Asset Market,” Econometrica 34, 1966, pp, 768-783. Sharpe 
was awarded the Nobel Prize in 1990. One of the rules of the Nobel 
award is that the recipient must be alive. Lintner and Mossin had passed 
away by then, so by rule they could not receive the highest honor in 
economics. 
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systematic risk. According to the CAPM, this risk is market risk 
and (as will be explained) is proxied by the asset's beta. The sec- 
ond risk is one that is unique to that asset. In the case of a stock, 
it is the risk that is unique to the company. For example, this risk 
can include strikes, adverse consequences of regulatory change, 
or litigation in which the company is accused of some wrongdo- 
ing. This risk is also referred to as is idiosyncratic risk. 


The CAPM demonstrates that by combining assets into 

a portfolio, each asset's unique risk can be eliminated. 

This leaves market risk as the portfolio’s sole exposure. 
Because in a well-diversified portfolio the unique risk can 
be eliminated, unique risk is also referred to as diversifiable 
risk. Since systematic risk cannot be eliminated even in a 
well-diversified portfolio, systematic risk is also referred to 
as non-diversifiable risk. 


The derivation of CAPM includes several crucial assumptions, ' 


some of which are the same as those used by Markowitz in 
deriving the MPT: 


e Access to information for all market participants, meaning 
that all information is freely available and instantly absorbed; 


e All market participants have the same expectations; 


e All market participants make their investment decisions 
based on the mean and variance of returns; 


e No transaction costs, taxes, or other frictions; 


e Allocations can be made in an investment of any partial 
amount (i.e., perfect divisibility); 


e All participants can borrow and lend at a common risk-free 
interest rate;'4 and 


e Any individual investor's allocation decision cannot change 
the market prices. 


The CAPM model shows that market equilibrium is achieved 
when all investors hold portfolios consisting of the riskless 
asset and the market portfolio described earlier. Each inves- 
tor’s portfolio is just a combination of these two, with the 
proportional allocation between them being a function of the 
individual investor's risk appetite. 


Accordingly, the expected return on a risky asset is deter- 
mined by that asset's relative contribution to the market port- 
folio’s total risk. In this case, the relevant measure of risk is 
the risk that cannot be diversified away (i.e., non-diversifiable 
risk or systematic risk). This means that investors should only 


13 These assumptions have all been relaxed by various researchers 
throughout the years. 


14 For example, it is generally assumed that one can earn a risk-free rate 
of interest by investing in US government obligations. 
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be compensated for the risk that cannot be eliminated by 
diversification. 


Systematic risk is proxied by a measure called beta and is calcu- 
lated as: 
cov(R, Ry) o; 
B= = am 6.1) 
om OM 
R; and Ry are (respectively) the returns on asset i and the market 
portfolio M, while oj and oy are their associated standard devia- 
tions. Meanwhile, p;m is the correlation between the returns on 
asset i and those on the market portfolio.'® 


An asset's contribution to the overall risk of the market portfolio 
is given by the ratio of the covariance of the rates of return for 
the asset and the market portfolio (i.e., the numerator) to the 
variance of the market portfolio’s rate of return (i.e., the denomi- 
nator). Note that the weighted sum across all covariances equals 
of (i.e., the market portfolio's total risk) 


N 
2x cov(R;, Ru) = of (5.2) 


In Equation (5.2), each asset's relative weight is given by x;, N is 
the total number of assets in the market portfolio, and 


N 
Dx =1. 
i 


Starting with Equation (5.2), dividing both sides of the equation by 
aĝ, and using the definition of £ in (5.1), the following result is 


N 
Dx hi = 1 
i=1 


Note that beta measures the relative co-movement of the return 
of security i with that of the market, and therefore the weighted 
sum of the betas for all assets in the market portfolio equals 
one. In other words, the beta of the market portfolio is one by 
construction. 


From an investor's perspective, beta represents the portion of 
an asset's total risk that cannot be diversified away and for 
which investors will expect compensation. Put more simply, the 
higher the beta, the higher the systematic risk (and therefore the 
higher the expected rate of return).'6 


15 CAPM dictates that total risk 7? can be disaggregated into the system- 
atic, o7p?y and the specific «?(1 — p?p) risk components. For example, 
if pim = 0.5 then the systematic risk component is 0.25 ø? and the 
specific risk component is 0.75 o?. 


16 An unlevered beta is the beta of a company without taking debt into 
account. In other words, the unlevered beta removes the financial effects 
of leverage. Unlevered Beta = Levered (equity) Beta/[1 + (1 — tax rate) 
(Debt / Equity)]. 
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Under this set of assumptions, the expected rate of return over 
a given holding period on a given asset i is the mathematical 
representation of the CAPM: 


E(R) = r + BLE(Ry) — r) (5.3) 


Here, E(R)) is the expected return of asset i over the holding 
period and ris the rate of return on the risk-free asset. The mar- 
ket risk premium is E(Rm) — r and £; is the quantity of market 
risk. Therefore, B{E(Ry) — r] is the expected return premium 
above the risk-free rate (as required by investors according to 
the CAPM). A useful interpretation of Equation (5.3) is that if the 
assumptions of the CAPM hold, the expected return on asset i 
should be the return on the risk-free asset plus a risk premium. 
The risk premium has two components: the quantity of market 
risk and the unit price of market risk (i.e., how much the market 
compensates investors for taking on a unit of market risk). 


As noted above, the market risk premium is the difference 
between the expected rate of return of the market portfolio 
and the risk-free rate: [E(Rm) — r]. According to the theory, 
E(Ry) represents the portfolio of all risky assets in the market. In 
practice, however, a “broad enough” index of traded shares is 
used as a proxy (e.g., the S&P 500). Note that broadness is 
subjective and there continues to be substantial debate among 
economists and investors alike over what is the exact market 
risk premium.'” What is less controversial is the common 
estimate for the risk-free rate (r), which is the three-month 

U.S. Treasury rate. 


5.3 THE CAPITAL MARKET LINE AND 
THE SECURITY MARKET LINE 


Look again at Figure 5.1 which shows the efficient frontier as 
given by the solid curve. Now let us introduce the risk-free 
rate r. The risk-free rate has no standard deviation, so it lies 
on vertical axis. In Figure 5.2, a line is drawn from the risk-free 
rate and becomes tangent to the efficient frontier at point M 
(i.e., portfolio M), which is called the tangency portfolio. The 
line shows all portfolios that an investor can now create once 
we allow for a risk-free asset and is called the capital market 
line (CML). 


Now, compare the portfolios on the CML with the portfolios 
on the efficient frontier. With the exception of portfolio M, 
the portfolios on the CML dominate the portfolios on the 


1? For an updated empirical estimation of the market risk premia of 
different countries, see the website of Professor Aswath Damodaran: 
http://pages.stern.nyu.edu/~adamodar/New_Home_Page/datafile/ 
ctryprem.html 


efficient frontier. By dominate, we mean that the portfolios 
on the CML, with the exception of the tangency portfolio (M), 
have a higher expected return for every level of risk as mea- 
sured by the standard deviation. It has been demonstrated 
that the tangency portfolio is a portfolio that contains all 
assets held in proportion to their market value and for that 
reason is called the market portfolio (as we defined it for 

the CAPM). 


The implication of the CML is that all investors should allocate 
to two investments: the risk-free asset and the market portfolio. 
This is referred to as the “two-fund separation theorem.” 
According to this theorem, the amount that should be allocated 
to the risk-free investment and the market portfolio depends on 
an investor's risk tolerance. Investors with little tolerance for risk 
will allocate most of thier funds to the risk-free asset. Those who 
seek more risk will allocate a greater proportion of funds to the 
market portfolio. 


The equation for the CML is 


E(Rp) = r + 


ERW ET (5.4) 
Oo; 


M 
where 


E(Rp) is expected portfolio return, r is risk-free rate, E(Ry) is 
expected market return, oy is standard deviation of market 
returns, and op is standard deviation of the portfolio returns 


From the CML another important relationship can be developed 
called the security market line (SML). The SML gives the relation- 
ship between the expected return for individual assets (not port- 
folios) and risk. However, in the SML the risk measure is systematic 
risk as proxied by beta, rather than the standard deviation (as in 
the CML). 


Capital 
Market 
Line (CML) 


Expected 
Return 


Efficient 
Frontier 
Risk Free 
Rate of 
Interest 


Standard Deviation 


GMA Capital market line. 
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5.4 ESTIMATING BETA 


In practice, beta analysis for any individual 
security is implicitly based upon that secu- 
rity's volatility (i.e., total risk) and the cor- 
relation of its returns with those of the 
market. Explicitly, beta is estimated by 


simple linear regression:'® 


y = 0.3639x- 0.0014 


J.P. Moragan versus SPY 


R? =0.4571 
e 


Ri — re = a; + B(Rue — r) + er (5.5) 


where Ri, and Rm are the respective rates 
of return for security i and the market 
portfolio, r, is the short-term, risk-free rate, 


JPM Excess Return 


and sņ is a residual value (all taken at some 
time t). The regression parameters are a; 
(i.e., the intercept) and b; (i.e., the slope 
and the estimate of 8). Note that the 
empirical model (5.3) is referred to as the 
market model and is based on observa- 
tions, whereas the CAPM described in 
(5.3) is based on expectations. 


Figure 5.3 shows the estimated beta!? for 
J.P. Morgan's stock, based on the monthly 
rates of return for the period between June 2008 and May 2019. 
The beta is estimated as the slope coefficient for a regression line 
of the firm's excess return and that of the market.”° The regres- 
sion line points to a raw, unadjusted beta?! of 0.36. This means 
that a 1% change in market excess returns return corresponds to 
a 0.36% in excess returns for J.P. Morgan’s stock price. 


Stocks with betas greater than 1 are considered aggressive 
(because they are exhibit more systematic risk than the market), 
whereas those with betas lower than 1 are considered defensive 
(because they exhibit less systematic than the market). For exam- 
ple, many utility companies in the United States are extremely 
defensive and have betas of around 0.5. From the example 
above, JPMorgan would be considered a defensive stock. 


Since its development, CAPM has become an important tool in 
understanding the behavior of prices in capital markets. Despite 


18 Note that this is a simple reformulation of Equation (5.3) that sub- 
tracts the risk-free rate from both sides and thereby lowers the intercept 
but does not affect the slope of the regression line. 


19 The calculation is done without considering the effect of dividends; 
log returns were used for the equities and the one-year U.S. Treasury bill 
rate netted against those figures. 


20 The proxy for the market was the ETF SPY, which is designed to track 
the S&P 500. 


21 An unadjusted raw beta is calculated solely on the basis of histori- 
cal data. If the historical beta is adjusted (say to reflect mean reversion 
properties) then it is called an adjusted beta. 
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Market Excess Return 
EMA] Raw beta computation for J.P. Morgan. 


its critical role in financial theory, empirically there is little sup- 
port for the CAPM. One of the findings that questions the valid- 
ity of the CAPM is that there are other factors driving security 
returns in addition to the market factor. These other factors are 
explained in the next chapter. 


Beta is also highly important to corporate managers focusing 
on creating shareholder value. For instance, many corporations 
require a minimum rate of return on the investment to assess 
the desirability of new ventures. This hurdle rate is often based 
on beta analyses, which are essentially how a firm understands 
the market's expectations for its relative return (or how the 
market would view the relative return of the proposed venture/ 
project). A failure to properly understand investor expectations 
can lead to a hurdle rate set at the wrong level. Note that a 
hurdle rate set too high can result in missed investment oppor- 
tunities by a company, whereas a rate set too low may result in 
sub-par investment decisions. 


Lastly, note that the original CAPM was developed for discrete 
time intervals (e.g., one-year or one-month horizons). Subse- 
quently, Merton extended the model to a continuous-time 
framework by assuming that trades are continuously executable 
and price changes are smooth (i.e., no jumps in prices).22 


22 R.C. Merton, “An Intertemporal Capital Asset Pricing Model,” 
Econometrica 41, pp. 867-887. This is only one of many extensions of 
the CAPM. 
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5.5 PERFORMANCE MEASURES 


In a world where the market is in equilibrium and is expected 

to remain in equilibrium, no investor can achieve an abnormal 
return (i.e., an expected return greater than that return pre- 
dicted by the CAPM risk-return relationship). Each asset (or 
portfolio of assets) yields an identical risk-adjusted return. That 
is, all securities will lie on the SML and all portfolios on the CML. 


Of course, this is not the case in the real world. First, it is not 
known exactly how expected values are determined. While they 
can be estimated, such estimations are always subject to mea- 
surement errors. Second, markets are rarely in equilibrium. And 
once they reach equilibrium, deviations from equilibrium are 
likely to occur almost instantaneously. In the real world, stocks 
and portfolios may yield a return in excess of, or below, the 
return with fair compensation for the risk exposure. 


This is the reason why portfolio managers rely on indices to 
measure the performance of a given stock or portfolio relative 
to the CAPM equilibrium risk-return relationship. 


This section compares several performance indices and 
illustrates how they are used. The focus is on the three tradi- 
tional measures of portfolio performance based on CAPM: 
(1) the Sharpe reward-to-volatility ratio, (2) the Treynor 
reward-to-volatility ratio, and (3) the Jensen performance 
index. Also presented are some additional indices proposed 
in academic literature to measure performance. Regardless of 
the measure used, the overall idea is the same: To get higher 
average returns one must assume a greater amount of risk. 


Sharpe Performance Index 


As previously discussed, the capital market line is given by: 
E(Ry) -r op 


om 


E(Rp) =r + 


E(Rp) and øp are the expected return and the standard deviation of 
the return, respectively, for an efficient portfolio P. Meanwhile, r is 
the risk-free rate and E(Ry) and oy are, respectively, the expected 
return and the standard deviation for the market portfolio. 


E(Ru) — ") 
O] 


M 
librium compensation. As can be seen it measures expected 
excess return per unit of volatility. 


The capital market line's slope ( is the fair equi- 


The investment performance index proposed by Sharpe (SPI) is 


_ ER)-r 


a] 


SPI 


where E(R;) and oj are the expected return and the standard 
deviation, respectively, for the rates of return on any asset or 
portfolio I. 


An SPI greater than the slope of the capital market line indicates 
a superior performance to what is expected in equilibrium. On 
the other hand, an SPI below the slope of the capital market line 
indicates an inferior performance. 


Treynor Performance Index 


The Treynor performance index (TPI) is 
ER) -r 

I 
TPI is like SPI in the sense it measures the risk premium E(R)) — r 
per unit of risk. However, the two measurements are calculated 
using different risk measures. Whereas SPI uses the standard 
deviation of the rates of return, a, TPI uses the beta of the asset 
or portfolio I. For a well-diversified portfolio, beta is widely 
accepted as an appropriate measure of risk. 


TPI = 


The derivation of TPI from CAPM is straightforward. According 
to CAPM: 


E(R) = r + BLE(Ry) — r] 


where E(R)) is the expected return on the risky asset or portfolio 
l, and B; is the asset's systematic risk measure. Then: 


ER) -= r 
Bı 


Thus, in equilibrium it is expected that this ratio will be constant 
across all risky assets and portfolios and equal to the excess 
expected return on the market portfolio E(Rm) — r (also called 
the alpha measure). Any TPI greater than E(Ry) — r is consid- 
ered to have a positive alpha (indicating superior performance), 


TPI = = E(Ry) -r 


while a TPI below E(Ry) — r would indicate a negative alpha and 
inferior performance. 


Jensen’s Performance Index 


Jensen's performance index (JPI) is like TPI, as both measures 
assume investors hold well-diversified portfolios. 


By running a time-series regression of the portfolio excess rate 
of return (Ry — r) on the market portfolio's excess rate of return 
(Rm: — r), one can estimate the beta of portfolio I: 


(Re — r) = & + B(Rve — r) + er 


where @ and Ê, are the regression coefficients and ep is the 
deviation of | from the regression line in period t. Taking the 
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mean on both sides, the residual disappears as the average 
deviation, €, is always zero by construction: 


Ri — r = âi + B(Ru - 1) 
According to CAPM, one expects â; to be zero in equilibrium. 


Hence the JPI, also known as Jensen's Alpha, concentrates on 
the alpha of the regression. 


If â is significantly different from zero and is positive, then the 
performance of | is considered superior, while it is considered 
inferior if & is negative. 


Link Between the Treynor and Jensen's 
Performance Measures 


The JPI is given by â, the y-axis intercept of the regression line: 


R,- r= âi + BR - ù 


dividing through by Bi: 
R-r â ai 
a oa ma) 
Bi Bi 


The left-hand side of the equation is the TPI. Because superior 


_ a 
performance implies TPI > (Ry — r), then =~ must be positive. 
x | 
Because f > 0 for virtually all assets, it follows that â; > 0. 


Therefore, as long as Ê >0,a superior performance as mea- 
sured by TPI implies a superior performance by JPI, and vice 
versa. However, the relative ranking of portfolios by the two 

performance indices may differ. 


Sortino Ratio 


The Sortino ratio (SR) is a modification of SPI. Both ratios mea- 
sure the risk-adjusted return of an asset or portfolio. However, if 
the primary focus is on downside risk, then SR is considered to 
be an improvement over SPI: 


SR 
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The denominator is the downside deviation, as measured by the 
standard deviation of returns below the target. T is the target or 
required rate of return for the investment strategy, also known 
as the minimum accepted rate of return (MAR). T may be set to 
the risk-free rate or another hurdle rate. 


Notice that the Sharpe and the Treynor ratios compare or adjust 
performance relative to the return on a risk-free asset. The Sor- 
tino ratio, in contrast, compares or adjusts performance based 
on some client-specified return. For that reason, portfolio man- 
agers will find it more useful in evaluating performance than the 
Sharpe and Treynor ratios. 


Information Ratio 


Another performance measure that compares or adjusts perfor- 
mance relative to a benchmark is the information ratio. In order 
to understand this ratio, we have to introduce an important 
measure of risk called the tracking error. 


Tracking error (TE) is the measure of the difference between 
a portfolio's returns and those of a benchmark it was meant 
to mimic or to beat. The first step to calculate TE is simply to 
calculate: 


Rp = Re 


where Rp is the return on the portfolio under consideration and 
Rg is the return on the client-specified benchmark portfolio. This 
difference is referred to as the active return. Tracking error is 
then the standard deviation of the active returns over some time 
period. 


An indexed portfolio (i.e., a portfolio constructed to mimic the 
benchmark) will have a tracking error close to zero. Active port- 
folio managers will have larger tracking errors that increase the 
more their portfolio deviates from the holdings of the benchmark. 


Given the tracking error, the information ratio is calculated as 
the ratio of the active returns divided by the tracking error. 
That is, 

Average active return 


R Tracking error 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


5.1 


5.2 


5.3 


5.4 


5.5 


5.6 


5.7 


Is the market portfolio the only efficient portfolio that can 
be formed? 


What does beta measure? 

A. The volatility of the security 

B. The joint volatility of any two securities in a portfolio 

C. The volatility of a security divided by the volatility of 
the market index 

D. The relative co-movement of a security with the mar- 
ket portfolio 


In the CAPM, what is the expected return for a stock with 
a beta of 1? 

A. E(R)) 

B. E(Ry) -r 

C. r+ (E(Ry) — n) 

D. E(Ry) 


Here are the betas for three stocks: 
3M 1.14 
IRobot Corporation 1.49 
Applied Materials Inc. 1.64 


The stock of which company is the most aggressive? 


The risk-free rate of interest is r = 5% and the market 
portfolio is characterized by E(Ry) = 13%. The betas 
for stocks A, B, and C are 0.5, 1.0, and 2.0, respectively. 
According to the CAPM, what are the expected returns of 
the three stocks? 

A. E(R,) = 5%, E(Rp) = 11%, E(Ro) = 21% 

B. E(Ra) = 9%, E(Rg) = 13%, E(Rc) = 21% 

C. E(Ra) = 14%, E(Rs) = 22%, E(Rc) = 26% 

D. None of the above 

The Sharpe ratio and the Treynor ratio evaluate 
performance relative to a customized benchmark. 

A. True 

B. False 

The Capital Market Line dominates the efficient frontier 
once a risk-free asset is introduced. 


A. True 
B. False 


5.8 


5.9 


5.10 


5.17 


5.18 


The realized rate of return on stock A and stock B will be 
the same each month if they have the same beta. 


A. True 
B. False 


If r = 4% and E(Ry) = 10%, then a stock with a beta of 
1.3 is expected to return 

A. 10.0%. 

B. 6.0%. 

C. 7.8%. 

D. 11.8%. 


The approximate tracking error for a fund that is indexed 
is equal to 

A. —12% 

B. 0% 

C. 4% 

D. Greater than 20% 

What are the major assumptions needed to establish 
CAPM (as made by Sharpe, Lintner, and Mossin)? 

What is the two-fund separation theorem? 

What is the relationship between CAPM and the market 
model? 

What is the difference between the Capital Market Line 
and the Security Market Line? 

Define systematic risk and nonsystematic risk. 

According to CAPM, the higher the variance of a security, 
the higher its expected return. 

A. True 

B. False 


In the Sortino ratio, is performance compared to the 
performance of a risk-free asset or a client-designated 
benchmark? 


The beta of a security estimated from historical returns 
is equal to the true beta of the security. True or false? 
Discuss. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


5.1 
5.2 


5.3 


5.5 


5.6 
5.7 
5.8 


5.9 
5.10 
5.11 


5.12 


No 


D. The relative co-movement of a security with the mar- 
ket portfolio 


C.r+ E(Ry) =r 
According to the CAPM, the expected return is 
r+ B[E(Ry) — rl. 


Since the question says that the stock has a beta of 1, 
substituting 1 for beta gives the answer above. 


The most aggressive stock is the one with the largest 
beta, Applied Materials, Inc. 


B. E(Ra) = 9%, E(Re) = 13%, E(Rc) = 21% 
In equilibrium, all three stocks are on the same security 
market line: 
E(R) = r + [E(Ry) — r] Bi 
False 
True 
False 


The realized return is random. CAPM predicts that the 
expected rates of return for stocks A and B should be the 
same. 


D. 11.8% 
B. 


e Investments are perfectly divisible; 

e They are no transaction costs and/or taxes; 

e Full and costless information is available to all investors; 

e The lending and borrowing rates are equal, and are 
the same for all investors; and 


e Each investor can borrow or lend any amount at the 
market rate. 


According to capital market theory, all investors will 
invest in two assets: the risk-free asset and the market 
portfolio. 
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5.13 


5.14 


These models are frequently confused because they both 
demonstrate a relationship between every asset and the 
market portfolio. 


The market model is an empirical model based on real- 
ized rates of return, whereas CAPM is based on expected 
and unobserved variables. The market model also pro- 
vides a method of decomposing asset returns into two 
components: a systematic (or market) component and a 
residual (or non-market) component: 


Tp = ap + bpry + ep 


where rp = Rp — r (or the excess return of the portfolio 
return Rp over the risk-free rate r), and ry = Ry — r (or 
the excess return of the market portfolio Ry over the 
risk-free rate r). 


The residual component ep is uncorrelated with the 
market excess return ry. The systematic component is 
beta multiplied by the market excess return. The market 
model thus appears to be a natural framework for esti- 
mating beta. 


CAPM is an equilibrium pricing model, which suggests 
that each asset is priced so that its expected return com- 
pensates for its contribution to the risk of the market 
portfolio. The asset's expected return is thus found to be 
proportional to its beta. For a well-diversified portfolio, 
an asset's risk contribution will approximate its risk con- 
tribution to the market portfolio. 


The CML shows the relationship between expected 
returns on an efficient portfolio and its standard 
deviation (See Figure 5.2), Another important relation- 
ship can be developed from the CML called the security 
market line (SML). The SML gives the relationship 
between the expected return for individual assets (not 
portfolios) and risk. However, in the SML the risk measure 
is systematic risk as proxied by beta, not by standard 
deviation as in the CML. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


5.15 


5.16 


Systematic, or undiversifiable, risk is that portion of the 
risk that is associated with market fluctuations and there- 
fore cannot be reduced by diversification. 


Non-systematic, or diversifiable, risk is that portion of risk 
that can be eliminated by combining the security in ques- 
tion with others in a diversified portfolio. 


False: 

A security may have a higher variance of returns 
but still have a lower expected return because of its 
low beta. 


5.17 The Sortino ratio compares a portfolio's performance to 


that of a client-designated benchmark which is a mini- 
mum return that the client specifies. 


5.18 This statement is false. The beta of a security obtained 


from past data is only an estimate of the true beta, which 
is unknown. The estimate is subject to statistical estima- 
tion errors and the true beta, at best, can be said to fall 
within a confidence interval with a given probability (the 
confidence level). 
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The Arbitrage 
Pricing Theory 
and Multifactor 


Models of Risk and 
Return 


E Learning Objectives 


After completing this reading you should be able to: 


® Explain the Arbitrage Pricing Theory (APT), describe its ® Explain how to construct a portfolio to hedge exposure to 
assumptions, and compare the APT to the CAPM. multiple factors. 

® Describe the inputs (including factor betas) to a ® Describe and apply the Fama-French three-factor model in 
multifactor model and explain the challenges of using estimating asset returns. 


multifactor models in hedging. 


® Calculate the expected return of an asset using a 
single-factor and a multifactor model. 
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As explained in Chapter 5, the capital asset pricing model 
(CAPM) is a single-factor model that describes an asset's 
expected rate of return as a linear function of the market's risk 
premium above a risk-free rate. Beta is the coefficient (i.e., the 
slope) of this relationship. 


The Arbitrage Pricing Theory (APT) is another theory that seeks 
to explain the relationship between expected returns and 

risk. However, unlike the CAPM, the APT considers more than 
just market risk. According to the APT, an asset's expected 

rate of return is a linear function of several factors. However, 
the APT does not specify what the risks are. The task of 
identifying the risks is based on economic logic and empirical 
analysis. Moreover, the single factor in CAPM (i.e., the market's 
expected risk premium) is derived from a theoretical model 
with assumptions about investor behavior. In contrast, APT only 
assumes that there are no arbitrage opportunities. 


6.1 THE ARBITRAGE PRICING THEORY 


The APT suggests that multiple factors can help explain the 
expected rate of return on a risky asset. One of these factors is 
the market in general, just as in the case of the CAPM. Other 
factors include macroeconomic and fundamental company 
attributes. However, the model does not say which of these 
factors adds to the explanatory power of the relationship. 


The APT was initially proposed in 1976 by Professor Stephen Ross." 
Unlike CAPM, APT does not assume investors hold efficient portfo- 
lios (as defined within the mean-variance framework) and does not 

assume risk aversion. Instead, APT has three underlying assumptions. 


1. Asset returns can be explained by systematic factors that 
affect all securities.” 


2. By using diversification, investors can eliminate specific (or 
idiosyncratic) risk from their portfolios. 


3. There are no arbitrage opportunities among well-diversified 
portfolios. If any arbitrage opportunities were to exist, 
investors would exploit them away. 


According to APT, the return on a security is given by: 
R; = E(R) + Balh — Elh)]+ -++ +Bixllk ~ Eld] + e; (6.1) 
where:3 


, N) with 


R; is the rate of return on security i (i = 1, 2, ... 
expected return E(R)); 


1S. Ross, “The Arbitrage Theory of Capital Asset Pricing,” Journal of 
Economic Theory 13 (3), 1976, 341-360. 


2 Note that APT does not assume that asset returns are normally 
distributed. 


3 N being the number of securities. 


I, — E(,) is the difference between the observed and expected 
values in factor k (it is also known as the surprise factor); 


Bik is a coefficient measuring the effect of changes in factor I, 
on the rate of return of security i; and 


e; is the noise factor (i.e., the idiosyncratic factor). 


The basic premise of APT is that investors can create a zero- 
beta portfolio with zero net investment. If such a portfolio 
yields a positive return, however, then a sure profit can be real- 
ized through arbitrage. The fundamental result, as proved by 
Professor Ross, is that the absence of arbitrage opportunities 
requires the expected return on all well-diversified portfolios 
to satisfy 


(Rp) = ERA + ArfE(,) ERDF ++ +Bpx{E(k) ERD] (6.2) 
Where 


Rp is the return on a well-diversified portfolio with expected 
return E(Rp); 


Bpk is the factor loading for the portfolio P related to 
factor k; 


E(Rz) is the expected rate of return on the zero-beta port- 
folio (i.e., the risk-free rate) such that Cov(l,, Rz) = 0, for 
k=1,...,K; and 


E(I,) — E(Rz is the risk premium associated with factor k. 


Although both the APT and CAPM refer to the expected rate of 
return on security |, because the expected rate of return is unob- 
servable, one must use the realized historical average instead. 
As introduced in Chapter 5, the empirical proxy to CAPM is 
shown in Equation 5.5 in Chapter 5. 


Many empirical works prefer to use the APT approach rather 
than that of CAPM because the latter is a special case of the for- 
mer. Note that CAPM is a one-factor model and thus the market 
index is the only variable used to explain the expected return for 
any security. On the other hand, the APT is a multi-factor model 
where several different factors can be used to explain the varia- 
tion in expected rates of return. APT is often used to decompose 
the factors’ respective contributions to the expected return. 


6.2 DIFFERENT TYPES OF FACTOR 
MODELS 


Gregory Conner describes the three different types of factor 
models in practice: macroeconomic factor models, fundamental 
factor models, and statistical factor models.4 


4G. Connor, "The Three Types of Factor Models: A Comparison of Their 
Explanatory Power,” Financial Analysts Journal 51(3), 1995, 42-57. 


86 E Financial Risk Manager Exam Part I: Foundations of Risk Management 


Macroeconomic Factor Models 


As their name suggests, macroeconomic factor models seek to 
explain returns using macroeconomic variables. Chen, Roll, and 
Ross introduced the first macroeconomic factor model in the 
1980s.° They found that the following set of macroeconomic fac- 
tors were important in explaining the realized average rates of 
return on stocks traded on the New York Stock Exchange (NYSE): 


e The spread between long-term and short-term interest rates 
(reflecting shifts in time preferences); 


e Expected and unexpected inflation; 


e Industrial production (reflecting changes in cash flow 
expectations); and 


e The spread between high-risk and low-risk corporate bond 
yields (reflecting changes in risk preferences). 


Later, Roll and Ross joined Burmeister and Ibbotson to develop 
a proprietary factor model that includes the following macroeco- 
nomic factors: investor confidence (confidence risk), interest 
rates (time horizon risk), inflation (inflation risk), real business 
activity (business cycle risk), and market index (market 

timing risk).6 


Fundamental Factor Models 


A fundamental factor is an attribute of a company or an indus- 
try. A company’s price/earnings ratio, book/price ratio, esti- 
mated revenue growth, and market capitalization are examples 
of fundamental factors. 


Probably the most well-known factor model that uses fundamen- 
tal factors is the three-factor model proposed by Eugene Fama 
and Kenneth French.’ Their model extends CAPM by adding 
two fundamental factors: 


1. Small Minus Big (SMB) (i.e., the difference between returns 
from small stocks and those from large stocks); and 


2. High Minus Low (HML) (i.e., the difference between the 
returns on stocks with high book-to-market values and 
those of stocks that have low book-to-market values).® 


5 N. Chen, R. Roll, and S. Ross, “Economic Forces and the Stock 
Market,” Journal of Business 59 (3), 1986, 383-403. 


6 E, Burmeister, R. Ibbotson, R.R. Roll, and S. A. Ross, “Using 
Macroeconomic Factors to Control Portfolio Risk,” unpublished paper. 


7 E.F, Fama and K.R. French, “Common Risk Factors in the Returns on 
Stocks and Bonds,” Journal of Financial Economics 33 (1993), pp. 3-56. 


8 For example, a book to market value ratio above one is preferred 
by value managers because that means a firm is trading cheaply when 
compared to its book value. 


The three-factor model proposed by Fama and French is 


E(Rp) — r = ap + BeMlE(Rw) — r] + BesmeE(SMB) 
+ Bp um E(HML) (6.3) 


where 


e E(Rp) is the expected return on portfolio P; 

e ris the risk-free interest rate; 

e E(Ry) — r, E(SMB), and E(HML) are the expected 
premiums; and 


e The factor sensitivities Bpm, Bp,sme, and Bp mi are the 
coefficients for the time-series regression: 


Rp— r = ap + Bey(Ru — r) + BesmeSMB + Bpm HML + ep (6.4) 


According to Fama and French, the slope of HML is a proxy 
of relative distress: Strong firms with consistently high earn- 
ings have negative HML slopes (while weak firms with con- 
sistently low earnings have positive HML slopes) because 
stronger firms typically have a higher market value relative 
to their book value. They also show that the SMB factor cap- 
tures the covariation in returns on small stocks (i.e., the small 
firm effect). 


Fama and French extended the model in 2015 by suggesting 
two additional fundamental factors:? 


1. Robust Minus Weak (RMW), which is the difference between 
the returns of companies with high (robust) and low (weak) 
operating profitability, and 


2. Conservative Minus Aggressive (CMA), which is the differ- 
ence between the returns of companies that invest conser- 
vatively and those that invest aggressively. 


When these two factors are added, Fama and French showed 
that the HML factor is redundant.!° 


Other versions of this model (e.g., Carhart (1997)) include a 
momentum factor (MOM), which is the difference between 
stocks that have risen in value over the prior month (i.e., winners) 
versus those that have fallen in value (i.e., losers). See 

Boxes 6.1, 6.2, and 6.3. 


? E.F Fama and K.R. French, “A Five-Factor Asset Pricing Model,” 
Journal of Financial Economics 116(2015), pp. 1-22. 


10 Most notably CMA, which had a -0.7 correlation with HML. 


11 M. Carhart, 1997, “On Persistence of Mutual Fund Performance,” 
Journal of Finance 52(1), 57-82. N. Jegadeesh and S. Titman, 1993, 
“Returns to Buying Winners and Selling Losers: Implication for Stock 
Market Efficiency,” The Journal of Finance 48(1), 65-90; and N. Jegadeesh 
and S. Titman, 2001, “Profitability of Momentum Strategies: An Evaluation 
of Alternative Explanations,” Journal of Finance 56(2), 699-720. 
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Box Example 6.1: 


Consider two companies: Coca-Cola and J.P. Morgan. Using 
monthly returns from January 2011 through April 2019, the esti- 
mated coefficients for the three-factor Fama-French model are 
shown below.® 


Monthly Data from January 1990 to April 2019 


Coca-Cola J.P. Morgan 

Value p-Value Value p-Value 
Alpha 0.08 | 0.82 0.16 0.71 
Beta 0.53 | 0.00 1.45 0.00 
sma | -0.74 | 0.00 -0.14 0.47 
HML -0.10 | 0.51 1.29 0.00 


2 Data sourced from Yahoo Finance and K. Fama’s website: http://mba. 
tuck.dartmouth.edu/pages/faculty/ken.french/data_library.html and 
regression performed in Excel. 


The p-values suggest that while the alphas are insignificant, 
the betas are significant at most of the typical confidence 
levels utilized for inference (i.e., 90% through 99.9%). For 
Coca-Cola, the SMB factor is significant and negative, 
indicating that when small companies outperform large ones, 
the value of Coca-Cola's equity will probably be negatively 
impacted (because Coca-Cola is a large company). On the 
other hand, J.P. Morgan does not have a significant depen- 
dence upon the SMB factor, suggesting that the health of small 
companies is not highly important to a large, broad-based 
commercial bank. However, J.P. Morgan does have a strong 
dependence on the HML factor. 


Box Example 6.2: 


An analyst believes that a firm's Fama-French dependencies are 


Value 
Beta 0.25 
SMB 1.25 
HML -0.75 


Further, the analyst believes that the firm can generate an 
extra 3.0% return annually because it has an advantage over its 
competitors. 


Accordingly, if the market forecast is 


e A12.5% return on equities over the next year; 
e An SMB of 3.5%; 


e An HML of 0.0%; and 
e Arisk-free rate of 1.5% 


The expected return for the company would be 


EIR) — r= a + BenlE(Ry) — r] + BesmeE(SMB) 
+ BeHmcE(HML) 
EIR) — 1.5% = 3.0 + 0.25[12.5 — 1.5] + 1.25 * 3.5 — 0.75 * 0.0 
EIR) = 11.63% 


Box Example 6.3: 


State Street Global Advisors has formulated several tradable 
baskets of equities, made from subsets of the S&P 500, that are 
designed to track specific indices. These equities are part of 
the Standard and Poor's Depository Receipts (SPDR) Exchange 
Traded Fund (ETF) family and can be traded in the same way as 
regular equities. 


These tradable ETFs can be used in an explanatory multi-factor 
return model (in the same way as CAPM uses a broad market 
index or Fama-French relies upon the broad market and two 
relative return indices). The fact that the SPDR ETFs are trade- 
able makes this modeling avenue compelling because it offers a 
clear way to take specific risk-mitigating actions (e.g., by trading 
these indices against the target equity). SPDRs are fairly liquid 
and there is also an active market in their derivatives. 


The nine sector SPDRs are in Table 6.2. 


Symbol Sector 

XLB Materials 

XLE Energy 

XLF Financials 

XLI Industrials 

XLK Technology 

XLP Consumer Staples 

XLU Utilities 

XLV Health Care 

XLY Consumer Discretionary 


This model is 
9 
E(r, = rA = a, + > BEC — 1) 


To look at a specific example, consider the stock for J.P. Morgan. 
The model is fit such that all the coefficients were significant (i.e., 
can be statistically distinguished from zero at the 95% confidence 
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level). The fit was estimated using the five-day excess returns over 
the US Treasury one-week rate from December 1998 to June 2019. 


J.P. Morgan 


Alpha 
Betas XLB 
XLE 
XLF 1.000 
XLI 
XLK 0.223 
XLP —0.212 
XLU 
XLV 
XLY 


To see how this might be used, consider an analyst that fore- 
casts the excess returns over the next week as: 


e XLF = 5%, 
e XLK = —4.0%, and 
e XLP = 2.0%. 


This would translate into an expected return of 3.68% 
(= 1.000 x 5.0 + 0.223 x (—4.0) — 0.212 x (2.0)) for a 
position in J.P. Morgan. 


Determining portfolio risk using all the stocks in the S&P 500 (in var- 
ious portions) would require the calculation of about 125,000 differ- 
ent variances. By using these nine factors, that number falls to less 
than 5,019. The latter is much more feasible and in practice should 
offer results that perform just as well (given the error margins). 


Statistical Factor Models 


In a statistical factor model, historical and cross-sectional data 
on stock returns are used in the model. The statistical tech- 
nique of principal components analysis is used is to explain 
the observed stock returns with “factors” that are linear return 
combinations and uncorrelated with each other. 


For example, suppose that the monthly returns for 2,000 
companies for 10 years are computed. The goal of principal 
components analysis is to produce factors that best explain the 
observed variance in the stock returns. Now suppose that five 
factors explain most of the variation in the returns of the 2,000 
stocks over the 10-year periods. These factors are statistical 
artifacts. The task then becomes to determine the economic 
meaning of each of these factors. 


6.3 FACTOR ANALYSIS 
IN HEDGING EXPOSURE 


While idiosyncratic (i.e., specific) risk can theoretically be 
eliminated through diversification, the same is not true for sys- 
tematic risk. However, factor betas can be used to construct a 
hedging strategy to eliminate systematic risk. 


Each factor can be regarded as a fundamental security and can 
therefore be used to hedge the same factor that is reflected in 
a given security. For example, a countervailing factor exposure 
in portfolio H can be used to hedge a specific type of risk in 
portfolio P. 


If the goal is to hedge out all the factor risks and create a zero- 
beta portfolio, then we can take the opposite positions in each 
of the factors so that the combined portfolio contains no factor 
exposures. If the goal is to leave a portfolio exposed to certain 
types of systematic risks, then not all factor exposures need to 

be neutralized. 


A parsimonious choice in the number of factors is essential, 

as each needs to serve an institution’s risk-adjusted return 
objectives. The selection of the appropriate systematic factors 
depends (in part) on judgment and there is no single perfect set 
of factors for all investors. 


A key challenge is determining how often a hedge needs to 

be adjusted. Note that there is a tradeoff between the cost of 
hedging and the need to keep the hedge aligned to the portfo- 
lio. If the hedging strategy is not implemented on a continuous 
basis, then tracking errors will appear. If the hedging strategy 

is updated too frequently, trading costs will be high and drag 
down overall performance. 


Another challenge is model risk, which includes both factor 
model errors and the potential for errors in implementation. 
Factor model errors occur when a model contains mathemati- 
cal errors or is based on misleading/inappropriate assumptions. 
For example, a hedging strategy that is based on linear factor 
models that fail to capture nonlinear relationships among the 
factors will be flawed. 


Another common error in model building is to assume 
stationarity in the underlying asset distribution, as often such 
distributions can evolve over time. Additionally, assumptions 
built into models may fail to hold in certain conditions, such 
as during stressed markets. During the 2007-2009 financial 
crisis, for example, many market-neutral hedge funds 
performed poorly. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


6.1 


6.2 


6.3 


6.4 
6.5 
6.6 


While APT demonstrates that there are other factors in 
addition to the market factor that impact security returns, 
it fails to identify what those factors are. 


A. True 
B. False 


APT assumes asset returns are normally distributed. 


A. True 
B. False 


APT requires that investors make decisions based on 
mean and variance. 


A. True 
B. False 


What is the basic idea of the APT? 
What are the three key assumptions of the APT? 
Chen, Roll, and Ross (1986) tested the APT model and 


found several explanatory variables for the average rate of 

return on stocks traded on the NYSE. Which of the follow- 

ing is not an explanatory variable in their empirical test? 

A. Expected and unexpected inflation 

B. The yield spread between high and low risk corporate 
bonds 

C. The yield spread between long and short maturity 
bonds 

D. The change in money supply in the economy 


Unlike the CAPM, the APT rewards investors for accepting 
specific risk. 

A. True 

B. False 


6.8 


6.9 


6.10 


6.11 


6.12 


In a statistical factor model, are the macroeconomic and 
fundamental factors clearly identified using principal com- 
ponent analysis? 


Roll noted that well-diversified portfolios are nonetheless 
highly correlated if the holdings are concentrated within 
the same asset class. True or false? Explain. 


The Fama-French three-factor model adds two risk factors 
beyond the market index to explain past average rates of 
return. Which of the following ratios is a risk factor in the 
Fama-French empirical model? 

A. EBITDA to total sales 

B. Current assets to current liabilities 

C. Net profit to total assets 

D. Book-to-market values 


The Fama-French five factor model added two more fac- 
tors. Which of the following is a basis for one of these new 
risk factors? 

A. Operating profitability 

B. Current assets to current liabilities 

C. Net profit to total assets 

D. Last month performance 


Factor betas in a well-diversified portfolio provide a means 
for constructing a hedging strategy to reduce systematic 
risk. True or False? Discuss. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


6.1 


6.2 
6.3 
6.4 


6.5 


6.6 


6.7 


6.8 


True 


Although APT asserts there are multiple factors, it does 
not identify those factors. 


False 
False 


The basic idea of APT is that investors can create a 
zero-beta portfolio with zero net investment. If such a 
portfolio yields positive return, then a sure profit can be 
realized by arbitraging. In the real world, any existing 
arbitrages would be exploited away. 


APT has three underlying assumptions. 


1. Asset returns can be explained by systematic factors. 

2. By using diversification, investors can eliminate 
specific risk from their portfolios. 

3. There are no arbitrage opportunities among well- 
diversified portfolios. If any arbitrage opportunities 
were to exist, investors would exploit them away. 


D. The change in money supply in the economy 

The explanatory variables were 

e The spread between long-term and short-term inter- 
est rates (reflecting shifts in time preferences); 

e Expected and unexpected inflation; 

e Industrial production (reflecting changes in cash flow 
expectations); and 

e The spread between high-risk and low-risk corporate 
bond yields (reflecting changes in risk preferences). 

Neither the APT nor the CAPM find that investors should 


be rewarded for accepting specific risk. 


In a statistical factor model, principal component analysis 
provides factors that best explain the observed variance 
in returns of the stocks being analyzed. These factors 

are statistically derived and are not identified as specific 
macroeconomic or fundamental factors. 


6.9 


6.10 


6.11 


6.12 


True 


Roll noted that well-diversified portfolios exhibit high 
correlations when constrained to the same asset class, 
whereas there is much less correlation when portfolios 
are diversified across multiple asset classes. 


D. Book-to-market values 


HML is the difference between the returns on stocks with 
high book-to-market values and those of stocks that have 
low book-to-market values. 


A. Operating profitability 


Fama and French extended the model in 2015 by sug- 
gesting two additional factors: 


41. RMW, which is the difference between the returns of 
companies with high (robust) and low (weak) operating 
profitability; and 

2. CMA, which is the difference between the returns of 
companies that invest conservatively and those that 
invest aggressively. 


True 


Each factor can be used to hedge the same factor expo- 
sure that is reflected in a given security. For example, 

to hedge a positive exposure to a factor, another secu- 
rity with a negative factor beta to that factor can be 
purchased (or one with a positive factor beta could be 
shorted). 
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Principles for 
Effective Data 


Aggregation and 


Risk Reporting 


E Learning Objectives 


After completing this reading you should be able to: 


® Explain the potential benefits of having effective risk data 
aggregation and reporting. 


® Explain challenges to the implementation of a strong risk 
data aggregation and reporting process and the potential 
impacts of using poor-quality data. 


® Describe key governance principles related to risk data 
aggregation and risk reporting. 


® Describe characteristics of effective data architecture, IT 


infrastructure, and risk reporting practices. 
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7.1 INTRODUCTION 


Effective risk analysis requires sufficient and high-quality data. 
This makes data a major asset in today's world, and it should be 
treated as such. 


Risk analyses can be made using the internal data of an organi- 
zation (e.g., transaction data within a financial institution or the 
specific costs of raw materials for a manufacturing company). 
The major concern with this type of data is whether it is kept 

in an organized way so that it can be used for analysis. Statisti- 
cal techniques for analyzing this data are wide ranging and 

can include tools such as machine learning and artificial intel- 
ligence (Al). 


Data can also come from outside the organization (e.g., exter- 
nal data on the economy or on a specific industry). Financial 
institutions need data on past inflation rates, changes in money 
supply, major interest rates, exchange rates, and so on. Some 
external data can be collected from public sources, whereas 
other types of data may have to be purchased from traditional 
and non-traditional sources. Non-traditional sources of infor- 
mation are referred to as alternative data and includes data 
gathered by third parties such as information from scrapping the 
web, mobile devices, and sensors. 


BOX 7.1 DATA IN MODEL RISK 


Data acquisition plays an important role in model risk. 
Financial institutions rely on models to guide their day- 
to-day operations and to analyze their risk exposures. As 
a result, even the smallest of model errors can have dire 
consequences. 


Model risk can be decomposed into four components:* 
input risk, estimation risk, valuation risk, and hedging risk. 
Note that data acquisition is especially pertinent when 
considering input risk. Models depend on the quality of 
data because it is used to create statistical estimators 

of their parameters. As the adage goes: “garbage-in, 
garbage-out”. 


*M. Crouhy, D. Galai, and R. Mark, Risk Management, McGraw 
Hill, 2002, p. 586. 


For many years, financial firms collected data on either a depart- 
mental or business activity basis. Generally, these efforts were 
not well coordinated or managed. Different departments often 
used different data sources, resulting in duplication in some 
cases. A lot of data was neglected and even destroyed (e.g., 
data loss can occur when moving from one computer system to 
another). In the 1960s and 1970s, data were stored on paper 
cards or computer tapes. Later storage devices included floppy 


disks and hard disk drives, neither of which were compatible 
with the older generation of systems. 


A special committee of the Basel Committee on Banking Supervi- 
sion (BCBS) examined bank data collection, data storage, and 

data analysis practices. That committee uncovered many problems 
within the industry and subsequently published a special report on 
risk data management. It concluded that data quality in the banking 
industry was inadequate to aggregate and report risk exposures 
across business lines, legal entities, and at the bank group level. 


In recognition of these inadequacies, the BCBS published a set 
of 14 principles to guide banks as they overhauled their risk data 
aggregation and reporting capabilities (BCBS 239).' The BCBS 
defines risk data aggregation as the “process of defining, gath- 
ering, and processing risk data according to [a firm’s] risk report- 
ing requirements to enable the bank to measure its performance 
against its risk tolerance/appetite.” 


The principles and supervisory expectations outlined in BCBS 
239 apply to risk management data and models. These prin- 
ciples cover governance/infrastructure issues, risk data aggrega- 
tion procedures and needs, reporting, and considerations for 
supervising authorities. 


Banks have struggled to comply with BCBS 239 and the original 
timeline to achieve full compliance was not met by any bank. 
This is largely due to the highly complex nature of the IT reengi- 
neering involved in bringing the various systems into compliance 
as well as the dynamic nature of the principles.* The exponential 
increase in the application of Al techniques on large data sets 
has also made compliance with BCBS 239 more challenging. 


Section 7.2 explains how effective risk data aggregation and 
reporting can allow organizations to measure risk across an 
enterprise.? Section 7.3 describes the key BCBS governance 
principles.* Section 7.4 identifies the data and IT infrastructure 
features that contribute to effective data aggregation and 
reporting. Section 7.5 describes specific characteristics of a 
strong risk aggregation capability as well as the interactions 
between those characteristics. Finally, section 7.6 describes the 
characteristics of effective risk reporting practices and the need 
for forward looking capabilities to give preemptive signals of 
potential risk exceedances. 


1 Principles for effective risk data aggregation and risk reporting (Rep.). 
(2013, January). Retrieved https://www.bis.org/publ/bcbs239. pdf 


2 See Basel Committee on Banking Supervision, June 2018, Progress 
in adopting the Principles for effective risk data aggregation and risk 
reporting (RDARR): https://www.bis.org/publ/bcbs443.pdf 


3 The specific costs and benefits of enterprise risk management (ERM) 
will be discussed in Chapter 8. 


* Best practices in corporate governance were discussed in Chapter 2. 
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7.2 BENEFITS OF EFFECTIVE 
RISK DATA AGGREGATION AND 
REPORTING 


If a firm fully adheres to the BCBS principles, its risk manag- 

ers will have less uncertainty regarding the accuracy, integrity, 
completeness, timeliness, and adaptability of the data they use. 
Simply put, risk management benefits from having high-quality 
risk data at all levels of the organization. 


Designing and implementing an effective risk data aggrega- 
tion and reporting capability enhances tactical and strategic 
decision-making processes. This reduces the chance of losses 
and improves risk-adjusted returns. 


Banks need to leverage the relevant risk information and care- 
fully consider what data can be obtained (and at what cost). It 
can be challenging for risk managers to process and refine fast 
moving big data® into usable risk information. It is essential that 
decision-makers have confidence in the quality of the underlying 
data. If the information is inaccurate or incomplete, manage- 
ment may not be able to make sound risk decisions. 


Advances in data analytics (e.g., machine learning) are being 
used to collect, analyze, and convert large volumes of unstruc- 
tured data® into usable information. This makes it easier for orga- 
nizations to avoid information overload and enables them to turn 
vast amounts of data into a strong competitive advantage.’ 


Rigorous model validation also plays a critical role in risk man- 
agement.® In the United States, model developers must comply 
with regulatory guidance on model vetting. The Federal Reserve 
provides comprehensive guidance for banks on effective model 
risk management.’ This guidance calls for a “rigorous assess- 
ment of data quality . . . as well as the proper documenta- 
tion.” 10 Model developers need to demonstrate that the data 


5 Big data is data that are so big and complex that traditional data pro- 
cessing techniques are inadequate. 


6 This is data without a pre-defined data model or otherwise lacking a 
pre-defined approach to organization. 


7 COSO, “Enterprise Risk Management: Integrating Strategy with Per- 
formance,” June 2017. (See Principle 18: Leverages Information and 
Technology.) 


8M. Crouhy, D. Galai, and R. Mark, The Essentials of Risk Management 
(2"4 edition), Chapter 15, McGraw Hill, 2014, offers a more complete 
discussion on model risk management. 


? United States, Board of Governors of the Federal Reserve System, 
Office of the Comptroller of the Currency (2011), “Supervisory Guidance 
on Model Risk Management (SR 11-7).” Retrieved from https://www. 
federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf 


10 Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


they use are suitable as well as consistent with both the theory 
behind the model and the chosen methodology. 


BCBS 239 was a major driver in the rise of the chief data officer 
(CDO) function. The CDO is typically responsible for standardiz- 
ing a firm's approach to data management. Note that data stan- 
dardization efforts have grown well beyond reference data to 
include financial products data and accounting data." If inde- 
pendent departmental applications and methodologies are 
based on consistent standards, the data that flows up through 
an organization's structure will provide a reliable, accurate, and 
manageable view of the institution’s total risk profile. 


If this is not the case, however, important connections among dif- 
ferent dimensions of an organization's business will not be trans- 
parent. An example of such data risk is the case where customers 
with credit products in different business lines (e.g., mortgage 
loans and a credit card) are not recognized as the same customer 
due to the absence of standardized customer identification codes. 


An operational process that allows flawed data to enter the sys- 
tem may eventually cause failures in the aggregate. An example 
of such a failure can be seen in the role of erroneous/fraudulent 
mortgage application data in precipitating the 2007-2008 col- 
lapse of the U.S. housing market. Note that this flawed data, 
which concerned loan suitability, was submitted by individuals 
one application at a time yet at an unusually high frequency. 


7.3 KEY GOVERNANCE PRINCIPLES 


BOX 7.2 PRINCIPLE 1* 


Governance—A firm's risk data aggregation capabilities 
and risk reporting practices should be subject to strong 
governance arrangements consistent with other principles 
and guidance established by the Basel Committee. 


*Basel Committee on Banking Supervision, January 2013, 
“Principles for effective risk data aggregation and risk reporting.” 


A strong governance framework (see Principle 1 in Box 7.2) 


combined with a well-designed risk data and IT infrastructure? 


11 The Financial products Markup Language (FpML) is one such exam- 
ple. FpML defines a taxonomy and structure of financial derivative 
products using the eXtensible Markup Language (XML) standards. For 
example, FpML includes structural definitions not only for derivatives, 
but also for the underlying financial instruments and assets to which 
financial derivatives contracts must necessarily refer. 


12 Infrastructure describes the actual components of a system. Architecture 
describes the design of the components and their relationships. For exam- 
ple, a system is built on an infrastructure that has a specific architecture. 
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(see Principle 2 in Box 7.3) is necessary to ensure BCBS 239 
compliance. Furthermore, independent validation is necessary 
to ensure risk data aggregation and risk reporting (RDARR) 


capabilities “are functioning as intended and are appropriate for 


the [firm's] risk profile.” 13 


As of mid-2019, most banks are still finding it difficult to imple- 
ment the BCBS 239 principles. It is therefore critical that the 
board and senior management understand the limitations pre- 
venting effective RDARR and remedy any shortcomings. If risk 
data are the blood of a financial enterprise, then data integra- 
tion constitutes its circulatory system. A bank with a limited 
ability to integrate data will have difficulties in satisfying the 
Basel principles. 


A key challenge is collecting data from the various internal and 
external sources and feeding it into risk analytics systems. Typi- 
cally, risk management applications do not access these data 
sources directly. Instead, the information is copied, extracted, 
translated, and loaded into a financial data warehouse. This 
approach prevents the execution of computationally intensive 
analytical processes from degrading the performance and 
response times of operational systems. 


Effective (i.e., fully or largely compliant) risk data governance is 
achieved by implementing policies that set “out a clear delinea- 
tion of roles, incentive schemes, and responsibilities for risk data 
management (including dedicated staff responsible for defining 
risk data expectations).”'5 


Conversely, a hallmark of ineffective (i.e., non-compliant) risk 
governance is “a lack of structured policies and frameworks to 
consistently assess and report risk data activities to the board 
and senior management.” 16 


The board has an important governance role related to RDARR. 
It should, in addition to reviewing and approving a bank's 
RDARR, ensure that the appropriate resources are available. 
RDARR policies should be reviewed, and revised if necessary, 
after major acquisitions or changes in strategy. 


13 Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


14 Data integration involves the extracting, translating, associating, 
merging, constructing, and loading of data from physical data sources 
into a data store based on a given set of logical and physical models. 


15 Basel Committee on Banking Supervision, June 2018, “Progress 
in adopting the Principles for effective risk data aggregation and risk 
reporting (RDARR).” 


16 Ibid. 


7.4 DATA ARCHITECTURE AND IT 
INFRASTRUCTURE 


BOX 7.3 PRINCIPLE 2* 


Data architecture and IT infrastructure—A bank should 
design, build, and maintain data architecture and IT infra- 
structure which fully supports its risk data aggregation 
capabilities and risk reporting practices not only in normal 
times but also during times of stress or crisis, while still 
meeting the other Principles. 


*Basel Committee on Banking Supervision, January 2013, 
“Principles for effective risk data aggregation and risk reporting.” 


Firms should establish integrated risk data architectures. 
Roles should be clearly specified, including the responsibili- 
ties for ensuring “adequate controls throughout the lifecycle 
of the data and for all aspects of the technology 


infrastructure.” 17 


There is no uniform blueprint in place for a BCBS 239-compliant 
infrastructure and solutions are specific to each institution. The 
optimal approach ensures that all people and systems within the 
banking group are working with the same data, the same mod- 
els, and the same assumptions. 18 


Firms should create information on data characteristics. This 
could be in the form of various data models. The four primary 
types of data models include: semantic data, conceptual data, 
logical data, and physical data. 


Semantic data models address the agreed-upon meaning of ele- 
ments in the model.'? Conceptual models confirm human 
understanding of the system and its objectives.2° Physical data 


17 Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


Bs, Ludwig and M. Gujer (2016), “The Art of Adaptable Architecture— 
Implementing BCBS 239.” Retrieved from https://www.fisglobal.com/ 
solutions/institutional-and-wholesale/commercial-and-investment- 
banking/-/media/fisglobal/files/whitepaper/the-art-of-adaptable- 
architecture.pdf 


19 Semantic model standardization initiatives improve the efficiency 

and quality of enterprise financial risk management as well as support 
industry-wide and global financial data standards. Usually accompany- 
ing a semantic model is a documented understanding of the behavior of 
elements acting on other elements. 


20 Conceptual models take on a high-level design of the groupings of 
informational elements, structures, and processes that interact with each 
other. 
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models translate the data requirements and properties 
expressed in the logical model into a specific implementation on 


an IT hardware/software vendor system platform.?! 


In summary, banks with effective (i.e., fully or largely compliant) 
data architecture and IT infrastructure have consolidated their 
“data categorization approaches and structures as well as inte- 
grated data taxonomies.” 


Conversely, banks with ineffective (i.e., non-compliant) data 
architecture and IT infrastructure lack the “appropriate pro- 
cesses and controls to ensure that the risk reference data is 


updated following changes in business activities.”2? 


7.5 CHARACTERISTICS OF A 
STRONG RISK DATA AGGREGATION 
CAPABILITY 


Firms need to monitor their data on an ongoing basis to ensure 
its accuracy and integrity (see Principles 3 and 4 in Box 7.4). Risk 
data should be complete, reconciled with sources, and include 
all material risk disclosures at a granular level. Classifications 
and categorizations are necessary to present complete and 
manageable information to executive management. If classifica- 
tions are too broad, however, information loss and data distor- 
tion can occur. 


Banks should also be “able to produce aggregate risk informa- 
tion on a timely basis”? (see Principle 5 in Box 7.4). The 
degree of timeliness required depends on the risk area being 
monitored. For example, data used to measure risk on the 
trading floor will need to generate risk information on a time- 
lier basis when compared to risk information on a corporate 
loan. Information systems dedicated to trading rooms must 


NA physical data model can generate the specific operations, proce- 
dures, and data loads to create a functioning database instance of the 
logical data model. 


22 Basel Committee on Banking Supervision, June 2018, "Progress 

in adopting the Principles for effective risk data aggregation and risk 
reporting (RDARR).” This report also mentions as an example “a data 
dictionary and a single data repository or data warehouse for each risk 
type identified and constructed” 


23 Ibid. The report also mentions as an example of this “a lack of a for- 
malized escalation process to communicate poor data quality to senior 
management”. 


24 Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


accommodate a wide variety of specific and potentially com- 
plex financial instruments. These risks need to be evaluated 
quickly and frequently for the purposes of managing a trading 
book or a portfolio. 


Trading systems apply sophisticated analytical valuation and 
pricing algorithms to portfolio positions. They typically use 

data structures, customized either by vendors or designed by 
in-house development teams, to record the details of financial 
instrument contracts. Compromises in timeliness are often made 
due to the need to extract and map data from different trading 
systems into other systems that can integrate, summarize, and 
report on the consolidated data. 


Furthermore, risk data aggregation practices need to be adapt- 
able (see Principle 6 in Box 7.4). An example of adaptability 
would be the ability to integrate a hypothetical stress scenario 
with other parts of the portfolio to produce an aggregated 
enterprise risk measure. Adaptability would also include the 
capability to incorporate changes in an upcoming regulatory 
framework (e.g., an update to Basel capital regulatory rules) and 
the ability to combine that with historical data to produce an 
overall risk measure. 


The BCBS notes that an effective (i.e., fully or largely compliant) 
capability to aggregate risk data features “appropriate data ele- 
ment certification, data quality documentation, data quality 
assurance mechanisms, assessment of data quality per risk type, 
and documented and effective controls for manual 


processes.”2> 


Conversely, ineffective (i.e., with compliance gaps) risk data 
aggregation capabilities may feature “deficiencies in data qual- 
ity controls . . . ; [lack of properly established] data quality rules 
such as minimum standards for data quality reporting thresh- 
olds; absence of a designated authority [oversight] . . . ; lack of 
an effective escalation model . . . ; and weaknesses in [quality 
control]” as well as ”. . . overreliance on manual . . . processes 
without proper documentation [and policy] . . . , lack of reconcili- 
ation for certain key reports . . . and no variance analysis . . . , 
inability to promptly [also without automation] source risk data 
from foreign subsidiaries . . . , lack of standardization of refer- 
ence data.”26 


25 Basel Committee on Banking Supervision, June 2018, “Progress 
in adopting the Principles for effective risk data aggregation and risk 
reporting (RDARR).” 


26 ibid. 
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BOX 7.4 PRINCIPLES 3 TO 6* 


Principle 3: 


Accuracy and Integrity—A bank should be able to gen- 
erate accurate and reliable risk data to meet normal and 
stress/crisis reporting accuracy requirements. Data should 
be aggregated on a largely automated basis to minimize 
the probability of errors. 


Principle 4: 


Completeness—A bank should be able to capture and 
aggregate all material risk data across the banking group. 
Data should be available by business line, legal entity, asset 
type, industry, region, and other groupings, as relevant for 
the risk in question, that permit identifying and reporting 
risk exposures, concentrations, and emerging risks. 


Principle 5: 


Timeliness—A bank should be able to generate aggre- 
gated and up-to-date risk data in a timely manner while 
also meeting the principles relating to accuracy and integ- 
rity, completeness, and adaptability. The precise timing 
will depend upon the nature and potential volatility of 

the risk being measured as well as how critical it is to the 
overall risk profile of the bank. The precise timing will also 
depend on the bank-specific frequency requirements for 
risk management reporting, under both normal and stress/ 
crisis situations, set based on the characteristics and over- 
all risk profile of the bank. 


Principle 6: 


Adaptability—A bank should be able to generate aggre- 
gate risk data to meet a broad range of on-demand, 

ad hoc risk management reporting requests, including 
requests during stress/crisis situations, requests due to 
changing internal needs, and requests to meet supervisory 
queries. 


*Basel Committee on Banking Supervision, January 2013, 
“Principles for effective risk data aggregation and risk reporting.” 


7.6 CHARACTERISTICS OF EFFECTIVE 
RISK REPORTING PRACTICES 


Banks also have significant progress to make when it comes to 
the BCBS 239 principles on effective risk reporting practices. 


The BCBS notes that “risk management reports should be accu- 
rate and precise to ensure a bank's board and senior manage- 
ment can rely with confidence on the aggregated information 


to make critical decisions about risk"? (see Principle 7 in 
Box 7.5). 


For instance, the ability to use models to aggregate risk 
depends upon having those models be fully vetted to ensure 
that the results are accurate within a given level of specificity. 
Banks should also establish accuracy and precision requirements 
for their risk reports that reflect the criticality of decisions made 
using risk information. 


Risk reports also need to be comprehensive and cover all risk 
types (see Principle 8 in Box 7.5). These risks include the Pillar 1 
and Pillar 2 risks.28 


Risk reports need to be clear and useful as well as meet the 
needs of their users (see Principle 9 in Box 7.5). The BCBS notes 
that “reports should include an appropriate balance between risk 
data, analysis and interpretation, and qualitative explanations.”2? 
These reports should be purposeful, in the sense that they should 
be tailored towards a specific audience (e.g., a trading unit or a 
lending unit). For example, risk reports for a board of directors 
should not be difficult to interpret at an aggregate level. 


Risk reporting frequency is a function of the risk type and pur- 
pose of each risk report (see Principle 10 in Box 7.5). During 
times of stress, report frequency may increase to keep pace 
with unusually fast-moving markets. Additionally, there may be 
situations where rapid risk analyses are required to facilitate 
decision-making. In short, all these situations should be planned 
for ahead of time (to the extent such preparation is possible). 


However, there may be unavoidable limits on reporting fre- 
quency. For example, in cases where forward-looking stochastic 
cash flow simulations are used, the volume of data produced 
can be significantly larger than that of the input data. Having 
too much output data can negatively impact a firm’s ability to 
perform the necessary quality checks, 


The generation of many scenario iterations can also affect the 
frequency of risk reports.2° Combining multiple analyses and 
model iterations requires consistent contexts and synchronized 


27 ibid. 
28 Pillar 1 risks include market risk, credit risk, and operational risk. 


Pillar 2 risks include business risk, reputation risk, and strategic risk. 
Chapter 1 describes and differentiates among the key classes of risks. 


2? Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


30 The cycle of sample, process, and review and act upon results repeats 
itself, often daily, producing yet more results datasets. In addition to the 
need to manage these results datasets, there is a need for the annota- 
tion and attribution of scenario assumptions corresponding to the data 
in the results data repository. 
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BOX 7.5 PRINCIPLES 7 TO 11* 


Principle 7: 


Accuracy—Risk management reports should accurately 
and precisely convey aggregated risk data and reflect risk 
in an exact manner. Reports should be reconciled and 
validated. 


Principle 8: 


Comprehensiveness—Risk management reports 
should cover all material risk areas within the organiza- 
tion. The depth and scope of these reports should be 
consistent with the size and complexity of the bank's 
operations and risk profile, as well as the requirements 
of the recipients. 


Principle 9: 


Clarity and usefulness—Risk management reports should 
communicate information in a clear and concise manner. 
Reports should be easy to understand yet comprehensive 
enough to facilitate informed decision-making. Reports 
should include meaningful information tailored to the 
needs of the recipients. 


Principle 10: 


Frequency—the board and senior management (or 

other recipients as appropriate) should set the frequency 
of risk management report production and distribution. 
Frequency requirements should reflect the needs of the 
recipients, the nature of the risk reported, and the speed 
at which the risk can change, as well as the importance 

of reports in contributing to sound risk management and 
effective and efficient decision-making across the bank. 
The frequency of reports should be increased during times 
of stress/crisis. 


Principle 11: 


Distribution—Risk management reports should be distrib- 
uted to the relevant parties while ensuring that confidenti- 
ality is maintained. 


*Basel Committee on Banking Supervision, January 2013, 
“Principles for effective risk data aggregation and risk reporting.” 


scenario parameters that are easily applied to independent 
model runs. Lack of such scenario consistency will result in 
important aspects of the diversification across scenarios being 
lost. In turn, this can destroy a model's ability to determine the 
volatility of the aggregate results. 


Another key requirement is creating an agreed-upon set of 
report distribution lists, with an eye toward making sure that 


reports are provided to all relevant decision-makers (see Prin- 
ciple 11 in Box 7.4). A distribution list also needs to recognize 
the degree of confidentiality of the information contained within 
specific sections of the overall report. 


In summary, effective reporting capabilities feature routine risk 
reports having useful information and providing preemptive 
analyses and dynamic features. A drill down of risk data from 
these reports can enable rigorous analyses across different risks 
and be accessed with an easy-to-use interface. 


Conversely, ineffective risk reporting capability would have the 
opposite features (not all are required and this list is far from 
comprehensive): static/inflexible, lacking ability to answer even 
simple drill down questions, and difficult to understand. 


CONCLUSION 


The original goal of the Basel Committee was to ensure that 
firms developed strategies to meet the BCBS 239 principles by 
2016. However, we still have a long way to go. 


The Risk Data Network (RDN) periodically releases progress 
reports on implementation of the BCBS 239 principles.°" In 
these reports, supervisors rate firms’ current performance on 
achieving compliance with the RDARR principles (see the 
appendix for details). These ratings are affirmed by a 2016 sur- 
vey conducted by McKinsey & Company and the Institute of 
International Finance (IIF)—which revealed that despite signifi- 
cant investments, banks are still struggling to comply with the 
principles.32 


A study from PwC showed higher performance for compliance 
with Principles 7-11 (risk reporting) compared to Principles 3-6 
(data aggregation). Meanwhile, Principles 1 (governance) and 2 
(data architecture and infrastructure) have poor compliance rates. 


Although these principles are focused on internal risk reporting, 
some supervisors have indicated regulatory and stress-testing 
results would also help to inform the process when assessing 
bank compliance. More recently, the European Central Bank has 
stated that financial and regulatory reporting is part of BCBS 
239 compliance. Though many banks have asked, regulators 
have not come forward with clearer guidelines for compliance. 


31 The Working Group on SIB Supervision (WGSS) was transformed into 
the RDN in early 2016 with a stronger focus on supervisory evaluations. 


32 H, Harreis, A. Tavakoli, T. Ho, J. Machado, K. Rowshankish, and 
P. Merrath, (2017, May). “Living with BCBS 239.” Retrieved from 
https://www.mckinsey.com/business-functions/risk/our-insights/ 
living-with-bcbs-239 
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Levels of Compliance and Banks by Principle (2016 vs 2017) 
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@Largely compliant 
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2016 supervisor's 
assesments : 


Levels of compliance with RDARR principles. 


W Fully compliant 
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assesments : E Materially non-compliant 
E Non-compliant 


Source: Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting, June 2018, Basel Committee 
on Banking Supervision. Reprinted by permission of the Bank for International Settlements. 


P1 P2 P3 P4 P5 P9 P10 P11 
2017 2.90 2.73 2.60 2.90 | 2.87 3.03 | 2.97 3.33 
2016 2.83 2.60 2.60 2.93 | 2.73 3.10 | 2.97 3.37 
Change | 0.07 0.13 0 -0.03 | 0.13 0 —0.03 | 0.03 | -0.07 | 0 =0.03 


Internal bank gap analysis. 


BOX 7.6 PRINCIPLES 12 TO 14* 


Principle 12: 


Review—Supervisors should periodically review and evaluate 
a bank's compliance with the eleven Principles above. 


Principle 13: 


Remedial actions and supervisory measures—Super- 
visors should have and use the appropriate tools and 
resources to require effective and timely remedial action 
by a bank to address deficiencies in its risk data aggrega- 
tion capabilities and risk reporting. 


Principle 14: 


Home/host cooperation—Supervisors should cooperate 
with relevant supervisors in other jurisdictions regard- 
ing the supervision and review of the Principles, and the 
implementation of any remedial action if necessary. 


*Basel Committee on Banking Supervision, January 2013, 
“Principles for effective risk data aggregation and risk reporting.” 


The regulators continue to emphasize that ascertaining compli- 
ance with BCBS 239 is a subjective exercise and that the stan- 
dards for each bank are accordingly bespoke. 


APPENDIX 


Compliance Levels of 30 Banks 


In Figure 7.1, the small changes in the average compliance rat- 
ings (on scale of 1 to 4) with BCBS 239 between 2016 and 2017 
illustrate the minimal progress observed in the Principles’ imple- 
mentation. The scale ranges from being “fully compliant” (a rat- 
ing of 4) to “non-compliant” (a rating of 1). The scores for the 
ith Principle are shown in Figure 7.2. For example, Principle 1 
was rated 2.83 in 2016 and 2.90 in 2017. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


7.1 


7.2 


7.3 


7.4 


BCBS 239 concerns 

A. conducting scenario analysis. 

B. liquidity requirements in banks. 

C. how to deal with data in a bank. 

D. details of how to implement the Graham-Dodd Act 


Is the following statement True or False? 


The original timeline to achieve full compliance with BCBS 
239 was not met by any bank. 

A. True 

B. False 


Is the following statement True or False? 


There is a uniform blueprint in place for BCBS 239 compli- 
ant infrastructures. 

A. True 

B. False 


Is the following statement True or False? 


7.5 


7.6 


7.7 


7.8 


7.9 


An additional requirement that has emerged since the 
original BCSBS 239 principles were published is the 
expectation that BCBS 239 principles should also apply to 
banks’ regulatory reporting. 

A. True 

B. False 


Please provide an example of compliant risk data gover- 
nance in BCBS 239. 


Please provide an example of effective risk reporting in 
BCBS 239. 


Why was the original timeline to achieve full compliance 
with BCBS 239 not met by any bank? 


What are the characteristics of a strong risk data aggrega- 
tion capability? 


Explain how model risk is affected by data quality. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


7.1 


7.2 


7.3 


7.4 


7.5 


7.6 


C. how to deal with data in a bank. 


The principles and supervisory expectations outlined in 
BCBS 239 apply to risk management data and models. 

These principles cover governance/infrastructure issues, 
risk data aggregation procedures and needs, reporting, 
and considerations for supervising authorities. 


True 


Banks have struggled to comply with BCBS 239 and the 
original timeline to achieve full compliance was not met 
by any bank. 


False 
Solutions are specific to the individual institution. 
True 


The European Central Bank has stated that financial and 
regulatory reporting is part of BCBS 239 compliance. 


Policies are in place that set “out a clear delineation of 
roles, incentive schemes, and responsibilities for risk data 
management (including dedicated staff responsible for 
defining risk data expectations)."°3 


Effective reporting capabilities feature routine risk 
reports having useful information and providing 


33 Basel Committee on Banking Supervision, January 2013, “Principles 
for effective risk data aggregation and risk reporting.” 


7.7 


7.8 


7.9 


preemptive analyses and dynamic features. A drill down 
of risk data from these reports can enable rigorous analy- 
ses across different risks and be accessed with an easy- 
to-use interface. 


e The underestimation of the compliance 
efforts required due to the complexity of the 
problems, 


e The exponential increase in the application of Al tech- 
niques on large data sets, and 


e Cost considerations. 


e To ensure accurate and reliable risk data, 


e To capture and aggregate all material risk data 
(completeness), 


e To Produce aggregate risk information on a timely 
basis (timeliness), and 


e To Generate ad hoc reports on data and risk 
analyses in response to management needs 
(adaptability). 

The quality of any model is heavily dependent on the 

accuracy of the input data. If the quality of data that 

feeds the model is garbage, then the adage garbage-in, 
garbage-out applies. Data errors can significantly alter 
estimated model parameters. 
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Enterprise Risk 


Management and 


Future Trends 


E Learning Objectives 


After completing this reading you should be able to: 


® Describe Enterprise Risk Management (ERM) and compare 
an ERM program with a traditional silo-based risk manage- 
ment program. 


® Describe the motivations for a firm to adopt an ERM 
initiative. 
® Explain best practices for the governance and implemen- 


tation of an ERM program. 


® Describe risk culture, explain the characteristics of a 
strong corporate risk culture, and describe challenges to 
the establishment of a strong risk culture at a firm. 


® Explain the role of scenario analysis in the implementa- 
tion of an ERM program and describe its advantages and 


disadvantages. 


® Explain the use of scenario analysis in stress testing pro- 


grams and capital planning. 
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8.1 ERM: WHAT IS IT AND WHY DO 
FIRMS NEED IT? 


Earlier chapters of this book have focused on specific risk types 
(e.g., credit risk, market risk, or operational risk). This approach 
has also been adopted by banking regulators, who require 
banks to hold minimum capital against credit, market, and oper- 
ational risk (e.g., Pillar | of Basel IIl). Looking at risk within risk 
types and specific business portfolios makes it easier to: 


e Define and measure risk (e.g., most financial models deal 
with specific risks), 


e Aggregate risk within business lines, and 
e Determine whether to retain risk or partially/fully hedge risk 


e Use derivative instruments (if hedging risk), which tend to be 
risk specific. 


However, it is also important to compare exposures to one another. 
Doing so allows firms to prioritize risk management and under- 
stand how risk-type and business line exposures add up to their 
total exposure. At the enterprise level, risks may negate each other 
(e.g., through netting? and diversification) or exacerbate each other 
(e.g., through risk concentrations, contagion, and cross-over risks). 


BOX 8.1 CROSS-OVER RISKS—THE 
NORTHERN ROCK EXAMPLE 


A perceived weakness in one risk management area (e.g., 
credit risk) can reveal weakness in another area (e.g., funding 
liquidity). Northern Rock discovered this to its detriment dur- 
ing the initial stages of the 2007-2009 global financial crisis. 


The fast-growing bank had developed a strategy that left it 
highly dependent on investors and wholesale markets—rather 
than customers’ deposits—for its funding. It tried to manage 
this funding concentration risk by diversifying geographically 
beyond its home market in the United Kingdom by tapping 
funding markets in continental Europe and the United States. 


However, that approach left the institution vulnerable to 
the global storm in funding markets that erupted when 
investors began shunning banks perceived as having 
risky lending strategies (as we discussed in Chapter 5). 
Northern Rock officials later claimed that this kind of 
global funding market shutdown was “unforeseeable.” 


Source: House of Commons, Treasury Committee, “The 
Run on the Rock,” January 2008, p. 16. 


1 Regulators are also concerned with many other risks facing a bank and 
try to make sure banks consider them by applying Pillar II, the supervi- 
sory review process. 


2 For example, a global financial institution will have inflows and/or 
outflows denominated in some foreign currency. Currency risk in this 
case is the net exposure from the inflows and outflow. 


Enterprise risk management (ERM) applies the perspective and 
resources at the top of the enterprise to manage the entire port- 
folio of risks and account for them in strategic decisions.? ERM 
improves the traditional risk management approach, popularly 
referred to as silo-based risk management or stove-pipe risk 
management, by giving senior management an integrated, 
enterprise-level view of risk. Under silo-based risk management, 
the risks of an organization are managed at the business unit 
level. ERM offers an important supplement to the more limited 
perspective available from specific business lines or risk-type 
functions. It also focuses attention on the largest threats to a 
firm's survival and core functionality. 


Another important feature of ERM is that it supports a con- 
sistent approach to enterprise risks throughout a firm, from 

the boardroom to the business line. This consistency can be 
achieved through a robust risk culture and an adherence to 
enterprise risk appetites and governance. Firms that lack this 
consistency may see one business unit reject an opportunity due 
to its risk, while similar opportunity is embraced by another unit. 


This chapter explains how ERM evolved to help firms manage 
risk efficiently, identify overlooked enterprise risks, manage 
risk concentrations, and understand how different risk types 
interact (Figure 8.1). It also introduces the key ERM dimensions 


1. Helps firms define and adhere to enterprise risk 
appetites 

2. Focuses oversight on most threatening risks 

3. Identifies enterprise-scale risks generated at business 
line level 

4. Manages risk concentrations across the enterprise 

5. Manages emerging enterprise risks (e.g., cyber risk, 
AML (anti-money laundering) risk, reputation risk) 


6. Supports regulatory compliance and stakeholder 


reassurance 


7. Helps firms to understand risk-type correlations and 
cross-over risks 


Optimizes risk transfer expenses in line with risk scale 
and total cost 


9. Incorporates stress scenario capital costs into pricing 
and business decisions 


10. Incorporates risk into business model selection and 
strategic decisions 


GMA] Top ten benefits of ERM. 


3 Enterprise risks, meanwhile, are those risks large enough to make 
enterprise outcomes fall materially short of enterprise goals. 
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and tools, including risk culture indicators and enterprise-wide 
stress testing. 


8.2 ERM—A BRIEF HISTORY 


The need for ERM's holistic approach to risk seems almost self- 
evident, so why is it still a work in progress? The answer lies 

in the difficulty of the task and in how risk management has 
evolved at the firm and industry levels. 


Risk management is usually fully integrated within small firms, 
even if it is not necessarily well developed. But as firms grow, 
they create specialist risk functions to improve their management 
of specific risks. (This is what was discussed in earlier chapters.) 


These risk types may initially be managed independently of one 
other, with some firms operating separate risk management 
functions across their lines of business. Over time, firms may try 
to move beyond this siloed risk management structure. For 
example, they may bring their risk managers together to 
improve risk management skills, ensure all key risks are covered, 
and increase purchasing power in the risk transfer markets.4 


This kind of enterprise-level rationalization became more urgent 
after a wave of financial market liberalization in the 1970s 
increased price volatilities and created new derivative instru- 
ments across interest rate, commodities, foreign exchange, and 
other markets. By the 1990s, financial institutions realized that 
they needed to manage their derivatives portfolios and underly- 
ing economic exposures in a more integrated fashion. 


First banks, and then large corporations, began to build global 
risk management divisions, They appointed chief risk officers 
(CROs)—responsible for all types of risk—and began to use 
universal risk metrics (e.g., Value-at-Risk (VaR)) to compare and 
aggregate risks across the firm. 


4 A precursor example is the growth of the specialist insurance pur- 
chaser in US corporations and the evolution of this role into a more inte- 
grated enterprise-level insurance “risk manager” during the 1950s and 
1960s. During this period, large U.S. corporations began to centralize 
and rationalize insurance purchases, hitherto spread over many business 
divisions and activities. Pooling risk with other entities through an insurer 
can be an expensive way to transfer risk for firms with good claims 
records. The “top-of-the-firm” perspective made it clearer that larger 
firms could choose between transferring an insurable risk to an external 
insurer or using their own capital to cover a portion of the risk through 
the use of self-insurance, captive insurance companies, and similar 
mechanisms. Setting up a captive to retain risk meant understanding— 
rather than outsourcing—the risk and incentivized firms to capture risk 
data. This in turn spawned new ideas about how to mitigate risk at the 
business line level. The term “risk manager” first began to be used 

in relation to this widened role of the corporate insurance purchaser. 
Though insurance risk managers had a very different role to that of 
today’s bank risk manager, there is one striking parallel: integrating risk 
management at the enterprise level changed how the firm saw and 
managed risk. 


In the mid-1990s, derivatives disasters (e.g., Barings Bank) 
showed how institutions lacking robust risk management frame- 
works could be destroyed by one out-of-control individual. At 
the same time, banks expanded the scope of credit risk man- 
agement from a focus on the credit ratings of obligors to the 
active management of enterprise credit portfolios (e.g., through 
the use of credit derivatives). 


By the late 1990s, banks had begun to track and measure 
operational risks. At the same time, some institutions began 
trading new types of transferable risk (e.g., weather risk and 
political risk). In the same way that VaR had helped firms build 
an overall perspective of market risk, new global risk commit- 
tees and risk transfer tools helped firms to build an overarching 
perspective of enterprise risk across business lines and 

risk types. 


In the early days of global risk management, many firms had 
trouble setting up integrated ERM programs across large 
enterprises. Then, as now, firms preferred to devolve responsi- 
bility for risk to the business line (where risk can be controlled 
at the source). However, firms keep coming back to ERM 
because managing risk demands a portfolio management 
perspective. 


By the early 2000s, some of the benefits of an ERM view were 
beginning to be realized (Table 8.1). However, the global finan- 
cial crisis of 2007-2009 revealed many weaknesses in risk man- 
agement practices. Among these included 


e A failure to properly apply aggregate risk measures, 


e An inability to identify enterprise risk concentrations across 
business lines, and 


e An inability to see risks within certain business models. 


The years following the crisis saw a greater regulatory emphasis 
on ERM tools such as risk appetite and risk capacity (Chapters 2 
and 3), data aggregation and reporting (Chapter 7), enterprise- 
level scenario analysis, and risk culture (the latter two being key 
topics in this chapter). 


A 2018 survey of 94 financial institutions by Deloitte found that 
83% had an ERM program in place, up from 73% in 2016.5 
During that same timeframe, the percentage of financial institu- 
tions with a CRO rose to 95%. Despite the increase in the num- 
ber of CROs, those surveyed felt that there was room for 
improvement in the reporting relationship and that the CRO 
should report to both the CEO and to the board. The survey 
found that 25% of the respondents indicated that the CRO did 


5 Deloitte, Global Risk Management Survey, 11th Edition, Deloitte 
Insights https://www2.deloitte.com/content/dam/Deloitte/co/ 
Documents/risk/D|_global-risk-management-survey.pdf 
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ERM versus Traditional Silo-based Risk Management 


Traditional Risk Management 


ERM View 


Risk viewed in business line, risk-type, and functional silos 


Risk viewed across business lines, functions, and risk types, 
looking at diversification and concentration 


Risk managers work in isolation 


Risk team integrated using global risk management committee 
and chief risk officer 


Many different risk metrics that cannot be compared (apples to 
oranges) 


Risk aggregated, if at all, within business lines and risk types. 
Difficulty seeing the aggregate risk picture 


Development of rational risk management frameworks and 
cross-risk universal metrics (e.g., VaR and scenario analysis) to 
integrate risk view (i.e., apples to apples) 


Tools and integrated frameworks make it possible to more 
accurately measure and track enterprise risk. Potentially, risk is 
aggregated across multiple risk types. 


Each risk type managed using risk-specific transfer instruments 


Possibility of cutting risk transfer costs firm-wide and integrated 
(e.g., multi-trigger) instruments 


Each risk management approach (e.g., avoid/retain/mitigate/ 
transfer) often treated separately, with strategy rarely being 
optimized. 


Each risk management approach is viewed as one component 
of a total cost of risk, ideally measured in a single currency. 
Component choice is optimized as far as possible in risk/reward 
and cost/benefit terms expressed in that currency. 


Impossible to integrate the management and transfer of risk 
with balance sheet management and financing strategies 


Risk management is increasingly integrated with balance sheet 
management, capital management, and financing strategies. 


not report to the CEO and about half said the CRO did not 
report to the board of directors or even a sub-set of the board. 


In addition to data and IT system issues, the three issues that 
more than half the respondents cited as being extremely urgent 
or a high priority for their institution's ERM program were: 

(1) managing increasing requlatory requirements and expecta- 
tions, (2) collaboration between the business units and the risk 
management function, and (3) establishing and embedding the 
risk culture across the enterprise.® 


8.3 ERM: FROM VISION TO ACTION 


So far, this chapter has covered ERM’s evolution and basic goals. 
But how is ERM organized in practice?” This depends a lot on 
the size and type of firm, but it helps to think of ERM practices 
across five dimensions (Table 8.2). 


1. Targets: These include the enterprise's risk appetite and 
how it relates to its strategic goals (discussed in Chapter 2). 


é Ibid., p. 8. 


7 In organizational terms, ERM programs are often implemented through 
the senior management risk committee. Other risk committees, such as 
the Credit Risk committee, may adopt ERM initiatives. Meanwhile, some 
non-financial firms that lack elaborate risk committee structures may 

set up ERM committees that help coordinate ERM activities with their 
respective business lines. 


Five Key ERM Dimensions 


ERM Dimension | Examples 


Enterprise goals: Enterprise risk appetite, 
enterprise limit frameworks, risk-sensitive 
business goals and strategy formulation 


Targets 


Structure How we organize ERM: Board risk 


oversight, global risk committee 


Risk Officer; ERM subcommittee; reporting 
lines for ERM; reporting structures 


How we measure enterprise risk: 
Enterprise-level risk metrics, enterprise 
stress testing, aggregate risk mea- 

sures (Value-at-Risk, Cash-Flow-at-Risk, 
Earnings-at-Risk, etc.), “total cost of risk” 
approaches, enterprise level risk mapping 
and flagging, choice of enterprise-level 
risk limit metrics 


Metrics 


ERM Strategies | How we manage ERM: Enterprise level 
risk transfer strategies, enterprise risk 
transfer instruments, enterprise moni- 
toring of business line management of 


enterprise-scale risks 


Culture How we do things: "tone at the top”, 
accountability for key enterprise risks, 
openness and effective challenge, risk- 
aligned compensation, staff risk literacy, 


whistle-blowing mechanisms 
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Risk appetite is linked to operational mechanisms, such 

as global limit frameworks and incentive compensation 
schemes. One goal of ERM is to set the right targets and 
make sure they are not in conflict with other strategic goals. 


2. Structure: The organizational structure of an ERM program 
includes the role of the board, the global risk committee 
and other risk committees, the CRO, and the corporate 
governance framework described in Chapter 3. The goal of 
ERM is to make each structure sensitive to the enterprise- 


scale risks faced by the firm, including indirect losses. 


3. Identification & Metrics: No amount of thoughtful target 
setting or ERM reorganization will help if a firm cannot 
identify enterprise-scale risks and measure their severity, 
impact, and (ideally) frequency. This chapter discusses key 
ERM metrics such as enterprise-level scenario analysis and 
stress testing. Other metrics include aggregate risk mea- 
sures such as VaR, total-cost-of-risk methodologies, risk-spe- 
cific metrics, and whole-of-firm risk mapping and flagging 
mechanisms. Here, the goal of ERM is to make sure the firm 
has the right family of metrics to capture enterprise risks. 


4, ERM strategies: Firms also need to articulate specific strate- 
gies for managing enterprise-scale risks at either the enter- 
prise level or through the business lines. This includes the 
fundamental decisions to avoid, mitigate, or transfer risks, 
along with the choice of enterprise risk transfer instruments. 


5. Culture: If targets, structure, and metrics are the bones of 
the ERM strategy, then culture is the flesh and blood. In 
short, a strong risk culture is built from a pervasive sense of 


common goals, practices, and behaviors. 


It is tempting to rank a firm's commitment to ERM in terms of 
identifiable ERM attributes across these five dimensions. 


However, the success of ERM is governed by the how these five 
dimensions interact with each other. For example, appointing a 
CRO might either lead to important improvements in enterprise 
stress testing or be a cynical re-badging exercise that changes 
nothing. Meanwhile, an improvement in stress testing and other 
risk metrics might not lead to improvements in risk management 
if a firm lacks a healthy risk culture. 


Furthermore, many ERM programs that look well established may 
not be comprehensive. For example, surveys suggest that only 
around half of CROs review the impact of compensation plans on a 
firm's risk appetite and culture—arguably a critical ERM function.® 


The true test for ERM is whether its growing adoption leads to a 
decrease in negative surprises and mishaps. So far, empirical 


8 Deloitte, Global Risk Management Survey, 10" edition; p. 6 and p. 18. 
The Deloitte survey is available at https://www2.deloitte.com/insights/ 
us/en/topics/risk-management/global-risk-management-survey.html 


research has yielded ambiguous results. Some researchers have 
identified positive results from adopting ERM (e.g., in terms of 
bank default swap spreads),? while others have so far failed to 
find evidence of tangible benefits. 


The ambiguity in the research data probably stems from the dif- 
ficulty in identifying empirical markers of successful ERM adop- 
tion and the relatively short time series available to researchers. 
In addition, ERM is continually evolving. For example, there 

has been a much greater emphasis placed on risk culture in the 
years since the crisis. 


In the years ahead, the financial industry will continue to gather 
data and refine its methodology for back-testing the results of 
ERM adoption. 


8.4 WHY MIGHT ENTERPRISE RISK 
DEMAND ERM: FOUR KEY REASONS 


Perhaps the most important argument for ERM is that an 
enterprise-level perspective is the best way to prioritize risks 
and optimize risk management."° A risk that looks minimal at 
the business line level can develop into a threat to the whole 
enterprise. Conversely, a risk that looks threatening at a busi- 
ness line level might look trivial in the context of the diversified 
enterprise risk portfolio. 


Top to Bottom—Vertical Vision 


Large risks often begin their life a long way from the board 
room. As an example, consider the case of a car manufacturer. 
Suppose that a poor design or sourcing decision is made, and a 
potentially dangerous car part is installed. The risk is engineered 
into countless cars and therefore threatens the enterprise, its 
suppliers, and their insurers through recall and compensation 
costs, lost sales, and reputational harm. 


We can see something similar happening in the “product facto- 
ries” of financial institutions. For example, misconduct issues have 
plagued large financial firms in recent years. In these firms, selling 
a poor investment product may not seem like a critical threat at 
the business line level when the business is young. As the business 
grows, however, that threat can rise dramatically over time. 


? S, A. Lundqvist and A. Wilhelmsson, “Enterprise Risk Management 

and Default Risk: Evidence from the Banking Industry,” Journal of 

Risk and Insurance 85 (1), 2018, 127-157, with a discussion of the 
literature around ERM and value creation on pp. 130-132. See also 

M. K. McShane, A. Nair, and E. Rustambekov, “Does Enterprise Risk 
Management Increase Firm Value?” Journal of Accounting, Auditing and 
Finance, 26, 2011, 641-658. 


10 See B. W. Nocco and R. M. Stulz, “Enterprise Risk Management: Theory 
and Practice,” Journal of Applied Corporate Finance 18 (4), 2006, 8-20. 
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For both financial and non-financial firms, the remedy might be 
something simple (e.g., tweaking the design or spending marginal 
amounts on better components) or something painful (e.g., clos- 
ing a product line and firing the line manager). It might also mean 
recognizing that the risk is being driven by poor target setting by 
senior management. Whatever the remedy, ERM is the process of: 


e Recognizing the potential threat to the whole enterprise aris- 
ing from the risky design/production decision, and 

e Picking up on early signs that things are going wrong to 
reduce the leveraging effect of time. 


ERM brings risk decisions, across time and space, in line with the 
enterprise's stated risk appetite."! 


Are There Potentially Dangerous 
Concentrations of Risk within the Firm? 


Line managers look after specific business lines and therefore it 
can be difficult for them to spot risk concentrations across the 
enterprise. Credit concentrations, for example, are the big red 
lever of the credit portfolio. If a bank loans too much to one 
person (i.e., name concentration), the bank risks a significant 
loss. If too many borrowers belong to the same industry, a sec- 
tor downturn could wreak havoc to the loan portfolio. 


Hidden concentrations often build up across many different busi- 
nesses because line managers cannot see the connections. In bank- 
ing, for example, an institution may lend to one firm in its corporate 
loan division and then create a counterparty exposure with the 
same firm in its derivatives division. Many kinds of concentration 
risk can creep across enterprises. Examples include the following. 


e Geographical and industry concentrations. Examples include 
where a manufacturer's production facilities or a bank's core 
IT is located within a given region, or where a financial firm 
is over-exposed to default risk in a local economy or type of 
industry. 

e Product concentrations. For example, a derivative or retail 
product might be mispriced in multiple divisions. 


e Supplier concentrations. An example would be a firm that 
has too great of a dependency on a link in its global supply 
chain or, in the case of financial institutions, on technology 
suppliers or data/risk analysis providers. 


11 One complication is that business line short-term priorities are often 
set at the top of the firm. For example, the business line might be try- 
ing to save money on product components to boost its reported profit 
margin. It might be trying to make headquarters’ sales targets, through 
whatever means. ERM is therefore also about managing agency risk and 
the firm’s risk culture, including how to build structures within the firm 
that balance the need for aggressive short-term goals against the need 
to stay in line with long-term risk appetite. 


During the global financial crisis of 2007-2009, many firms 
found themselves with concentrations of mortgage risk in both 
specific geographies and risky product types (e.g., negative 
amortizing mortgages). 


Firms cannot always avoid concentrations. For example, insurers 
and bankers have been wary of concentrating their key systems, 
infrastructure, and data with cloud computing providers. However, 
large security investments made by cloud providers mean that 
going to the cloud could offer one way to manage cyber risk and 
strategic technology risk. Firms must manage such risk tradeoffs. 


Ultimately, ERM includes the recognition and management of 
concentration risks according to a firm's risk appetite. 


Thinking Beyond Silos 


Conversely, there are major diversification benefits that can only be 
understood at the enterprise level, particularly in terms of risk type. 


Acknowledging risk-type diversification reduces the aggre- 

gate risk capital a firm needs to hold. It also helps to transform 
“badly behaved” risk portfolios, including many kinds of opera- 
tional risk, into loss distributions closer to that of a normal distri- 
bution (Figure 8.2). 


At the same time, thinking beyond silo-based risk management 
helps firms to understand how risk types can interact to worsen 
enterprise threats. For example, enhanced consumer protection 
in the United States since the global financial crisis has created 
significant cross-over risks between credit risk, legal risk, and 
reputational risk. As a result, banks are under growing pressure 
to make sure they are not deceiving or misleading customers or 
engaging in abusive acts. 


Likewise, ERM can help firms understand how risk can cross over 
between risk types during times of stress (as noted in Box 8.1). 


Risk Retention Decisions: Self-Insurance 
and Captive Insurance 


Consumers are nearly always right to turn down offers of insur- 
ance for inexpensive goods. For example, if a kettle catches fire, 
it is the home insurance they need to worry about and not the 
replacement cost of the kettle. 


Firms have been applying the same logic at the enterprise level 
since the 1960s by using mechanisms such as self-insurance and 
captive insurance! to retain portions of property, liability, and 


12 A captive insurance company (or simply captive insurer) is an 
insurance company that is wholly owned and controlled by its insured(s), 
which is/are one or more non-insurance firms. Captive insurance is an 
alternative to self-insurance. 
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other risks. Note that around 20% of firms with between USD 
1 billion and USD 5 billion in revenue have a captive insurance 
unit; that percentage rises to over 50% for firms with at least 
USD 10 billion in revenue.’ Risk retention decisions are best 
made at the enterprise level, where the aggregate level of risk 
exposure can be understood. 


The process of understanding an enterprise risk and then manag- 
ing a portion of it in-house is happening again today with cyber 
risk. So far, only around 12% of firms using captives employ them 
to provide cyber coverage. However, 23% of them plan to do so by 
2020.14 This growth will be driven by firms improving their under- 
standing of cyber risk, such as through enterprise risk assessments 
of cyber dependencies and vulnerabilities, and then applying quan- 
titative metrics to assess the financial impact of cyber events. 


This demonstrates a general truth: firms that understand enter- 
prise risk can translate this understanding into dollar savings 
(Figure 8.3). The process is most obvious in the case of insurable 
risks,!5 but it is true for financial risks as well. As firms 


13 Aon Risk Solutions, Global Risk Management Survey 2017, p. 92. 
Captives also help firms to centrally gather information about their risks, 
check their risk taking against their risk appetite, and to build more 
effective risk management across multiple business lines and activities. 


14 Aon Risk Solutions, Global Risk Management Survey 2017, p. 89. 


15 An insurable risk is a risk where the insurer can calculate the potential 
future losses or claims. A risk where the insurer cannot calculate the 
potential losses or claims is a non-insurable risk. 


understand their true exposures (i.e., considering enterprise 
netting and diversification effects) they can retain the right 
level of exposure and target resources towards the real, 
enterprise-threatening risks. 


8.5 THE CRITICAL IMPORTANCE 
OF RISK CULTURE 


Risk culture can be thought of as the set of goals, values, beliefs, 
procedures, customs, and conventions that influence how staff cre- 
ate, identify, manage, and think about risk within an enterprise, 
including implicit and explicit beliefs. Another well-known defini- 
tion is that “risk culture can be defined as the norms and traditions 
of behavior of individuals and of groups within an organization that 
determine the way in which they identify, understand, discuss, and 
act on the risks the organization confronts and the risks it takes.” 16 


Risk culture sounds intangible, but a strong risk culture 
is a firm's surest handle on ERM?” in the same way that 


16 See IIF, Reform in the Financial Services Industry: Strengthening Prac- 
tices for a More Stable System, December 2009, Appendix III. Various 
definitions by unnamed banks are provided in APRA, “Risk Culture,” 
Information Paper, October 2016, p. 15: http://www.apra.gov.au/ 
CrossIndustry/Documents/161018-Information-Paper-Risk-Culture.pdf 


17 O, Karlsson et al., “Are CEOs Less Ethical Than in the Past?,” 
Strategy+ Business, issue 87, May 15, 2017: https://www.strategy-business. 
com/feature/Are-CEOs-Less-Ethical-Than-in-the-Past?gko=50774 
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Understanding enterprise risk saves money—and enterprises. 


a strong safety climate minimizes accidents in physical 
industries. 18 


In the aftermath of the global financial crisis of 2007-2009, super- 
visory reports focused on risk culture as a driver of risk manage- 
ment failure in large financial institutions. Other culture-driven 
scandals emerged in the post-crisis years, including the mis-selling 
of consumer financial products (e.g., the UK payment protection 
insurance scandal), the manipulation of financial markets (e.g., 
Libor manipulation), money laundering, and embargo breaches. 


The banks involved in these scandals paid massive penalties and 
suffered discounting on their share prices while litigation contin- 
ued. It is therefore not surprising that around 70% of surveyed 
financial institutions say that establishing and embedding risk 
culture across the organization is a high priority.° 


Risk culture is a difficult to address because it is multilayered 
(Figure 8.4). Individuals arrive at an enterprise with their own 


18 See summary of effect of “safety climate” on industrial accidents in 
E. Sheedy and B. Griffin, “Empirical Analysis of Risk Culture in Financial 
Institutions: Interim Report,” Risk Culture Project: MacQuarie University, 
version: November 2014, p. 7. 


19 For example, for the costs of misconduct cases as a drag on bank 
share prices, see European Systemic Risk Board, “Report on Misconduct 
Risk in the Banking Sector," June 2015, p. 16, Chart 7. 


20 For example, Deloitte, Global Risk Management Survey, 10‘ edition, 
published 2017, p. 27: https://www2.deloitte.com/insights/us/en/topics/ 
tisk-management/global-risk-management-survey.html 


Minimize Transfer Costs (Save Further USD) 


risk mindsets that are driven by their personalities, demo- 
graphics, professional standards, personal experiences, and 
so on. They then absorb many of the risk-related behaviors 
and practices of their local group (e.g., business line sales 
targets) and make risk decisions as part of that local social 
environment. 


In turn, this can lead to a gap between the stated targets of 
the organization (e.g., risk appetite and values) and behavior 
by its employees. This behavior may be driven by short-term or 
self-centered goals, with rules being broken or side-stepped. 
Furthermore, it is not easy to improve risk culture across 

the whole enterprise if a firm has no way to assess its 

progress. 


¢ Enterprise Thinking 
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ACME Risk culture is a series of overlapping 
layers. 
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HEC Risk Culture—lllustrative Key Risk Culture Indicators 


Indicator Trend Tracking 


Leadership Tone 


Does board and executive compensation support the firm’s core values? Do management's actions 
support or undermine the risk message? Can the board be shown to monitor and communicate how 
business strategy fits with risk appetite? 


Accountability and 


Risk Monitoring used? 


Are there clear expectations on monitoring and accountability for key risks? Are escalation processes 


Openness and 
Effective Challenge 


Is there evidence that opposing views from individuals are valued? Are there regular assessments of 
“openness to dissent”? Is risk management given stature? 


Risk-Aligned 
Compensation 


Are compensation and performance metrics supportive of the firm’s risk appetite and desired culture? 


Risk Appetite 
Knowledge 


Do key staff members know the firm's enterprise risk appetite? Can they answer straightforward 
questions about its application to business decisions? 


Risk Literacy/Common 


Language attended? 


Do staff use a common language to describe risk and its effects? Are training programs available and 


Risk Information Flows 


Can the firm see information flowing up and across the firm in a way that captures and highlights 
enterprise-scale risks? And is there a clear link to specific discussions and decisions? 


Risk/Reward Decisions 


Has the firm tested whether senior executives respond to benchmark risk/reward questions consistently 
with each other and with the firm's risk appetite? 


Risk Stature 
fires them? 


Do the key ERM staff have the right stature and direct communication with the Board? Who hires and 


Escalation and Whistle 
Blowing 


Do key staff members understand when and how they can escalate a suspected enterprise risk? When 
were escalation procedures last used? Is there a whistle-blowing mechanism and is it used? 


Board Risk Priorities 
ters associated with these risks? 


Can the board name the top ten enterprise risks faced by the firm? Can it name the key industry disas- 


Action Against Risk 
Offenders 


Has the firm disciplined employees who have acted against its risk appetite and ethical stance? Does the 
staff believe action will be taken even if a risk violation leads to a profit rather than a loss? 


Risk Incident and Near 
Miss Responses 


response? 


Can the firm show how it has identified culture issues in risk incidents and the measures taken in 


Measuring a Mindset 


Financial firms are increasingly expected to be able to form a 
view of risk culture within their institutions and of the degree to 
which their risk culture helps them adhere to their risk appe- 
tites.2" One approach is to identify what are called key risk 
culture indicators. 


In an effort to reduce the risk posed by systemically important 
financial institutions, the Financial Stability Board (FSB) has 
specified”? four key risk culture indicators: 


21 See APRA, Risk Culture, Information Paper, October 2016, p. 5: http:// 
www.apra.gov.au/CrossIndustry/Documents/161018-Information-Paper- 
Risk-Culture.pdf and FSB, Guidance on Supervisory Interaction with 
Financial Institutions on Risk Culture, 7 April 2014, p. 5. 


22 These are not meant to be exhaustive. FSB, Guidance on Supervisory 
Interaction with Financial Institutions on Risk Culture, 7 April 2014, p. 5. 


1. Accountability, 
2. Effective communication and challenge, 
3. Incentives, and 


4. Tone from the top. 


Table 8.3 builds on this to offer a longer series of indicators for 
discussion purposes. Some of these are informal and clearly cul- 
tural (e.g., encouraging openness in risk dialogue). Others are 
really part of a firm's organizational structure, but still signal a 
healthy environment (e.g., a whistle blower needs a way to blow 
the whistle). 


Note that this is a short illustrative list and does not reflect any 
regulatory checklist. For consistency, the first four items follow 
(in the broadest terms only) the indicators set out by the FSB. 


While firms focus on internal culture indicators, the firm's wider 
environment is also important. Environmental factors driving 
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SEI CER External Risk Culture Drivers 


External Drivers—Examples 


Economic cycles (e.g., credit cycle, industry cycle) 


Industry practices/guidelines 


Professional standards 


Regulatory standards 


Country risk/corruption indices 


risk culture may include industry norms, professional norms, and 
even phenomena such as credit cycles (Table 8.4). 


Many firms have begun systematically assessing culture using 
risk culture indicators and other internal evidence (e.g., surveys, 
interviews, and focus groups with staff).23 For example, surveys 
may ask staff how they rate the risk culture of their business line 
with regard to certain key characteristics, and how they and 
their colleagues behave in regard to risk/control decisions. 


There are methodologies for transforming questionnaire results 
and other sets of quantitative key risk culture indicators into an 
overall risk culture score. However, while these indicators track 
changes in the quality of risk culture, they do not quantify the 
size of the losses associated with risk culture failings. 


Some supervisors are digging deeper. For example, the Nether- 
lands’ DNB has conducted a series of detailed assessments of indi- 
vidual financial institutions on topics related to risk culture using 
insights from organizational psychologists, among other experts. 
The exercise brought to light “fundamental risks . . . in behavior 
and culture” in 34 of 54 assessments between 2010 and 2015.74 


23 One example of the application of questionnaires and focus 

groups to gauge key characteristics related to risk culture can 

be found in the activities of the UK's Banking Standards Board, a 
private sector subscription-funded body created to promote high 
standards of behavior: https://www.bankingstandardsboard.org.uk 
Results from their 2017/18 Annual Review can be found here: https:// 
www.bankingstandardsboard.org.uk/annual-review-2017-2018/ 
assessment-findings and a description of the BSB approach is here: 
https://www. bankingstandardsboard.org.uk/the-uk-banking-standards- 
board-an-outcome-based-approach-to-assessing-organisational-culture 


A further detailed example of a researcher-driven survey of business line 
risk culture in three large banks can be found in E. Sheedy and B. Griffin, 
Empirical Analysis of Risk Culture in Financial Institutions: Interim Report, 
Risk Culture Project: Macquarie University, version: November 2014. 


24 DeNederlandscheBank (DNB), Behaviour and Culture in the Dutch 
Financial Sector. 


A brief survey of how regulators around the world are approaching risk 
culture can be found in S. Chaly. J. Hennessy, L. Menand, K. Stiroh, and 
J. Tracy, “Misconduct Risk, Culture, and Supervision, Federal Reserve 
Bank of New York, December 2017, pp. 12-16. Available at https:// 
www.newyorkfed.org/medialibrary/media/governance-and-culture- 
reform/2017-whitepaper.pdf 


Discussion—Five Culture Clashes 


There are several problems standing in the way of a robust risk 
culture. 


1. Risk indicator or risk lever? The industry desperately wants 
to identify risk indicators that can be used to prove it is 
steadily improving risk culture. But if indicators are used 
as levers to change behavior (e.g., if survey results affect 
the performance assessments of senior managers), could 
the indicators themselves become compromised? It's a lot 
easier to manage (or manipulate) an indicator than it is to 
manage risk culture. 


2. Education for everyone? Firms can and should create com- 
mon enterprise languages of risk by defining risk manage- 
ment terms, concepts, and common procedures as well as 
key ERM roles (e.g., the Board, CRO, and business line 
leaders).? One large financial institution went so far as to 
create a fictional character in a web-based game to bring risk- 
taking decisions to life and improve risk communication 
(which apparently provoked “mixed responses”).*° But so- 
called education for everyone includes the board. At the 
end of the day, can the board list the top ten enterprise 
risks and explain how these relate to the firm’s risk appetite? 


3. Time and space: Do the same cultural attitudes exist in all 
parts of the firm and how do they change over time? 


e Empirical evidence suggests risk culture is mainly formed 
in the local business lines, rather than at enterprise 
level.?” It's easy for business lines to develop distinct risk 
cultures under the example of local team leaders. 

e Conversely, if signs emerge from multiple business lines 
that something is wrong, (e.g., similar “near misses” 
in terms of conduct issues), does the firm have mecha- 
nisms to pick up these signals? Or are they all dealt with 
individually? 


4. Culture cycle: Arguably, it is only during times of stress 
that the enterprise's real risk culture becomes visible. As a 
result, risk cultures that look robust today may not survive 
real-life crises. While regulators want risk managers to carry 
real weight within firms to withstand this kind of buffeting, 


25 For example, see IFC (World Bank Group), Risk Culture, Risk Gover- 
nance, and Balanced Incentives: Recommendations for Strengthening 
Risk Management in Emerging Market Banks, 2015, p. 13. 


26 T, Palermo, M. Power, and S. Ashby, “Navigating Institutional Com- 
plexity: The Production of Risk Culture in the Financial Sector,” Journal 
of Management Studies, 54 (2), 2017, p. 167. 


27 E, Sheedy and B. Griffin, “Empirical Analysis of Risk Culture in Finan- 
cial Institutions: Interim Report, Risk Culture Project,” Macquarie Univer- 
sity, version: November 2014, pp. 16-17. 
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Scenario Analysis: Advantages and Disadvantages 


Advantages 


Disadvantages 


No need to consider risk frequency beyond “plausibility” 


Difficult to gauge probability of events; does not lead to the 
quantification of risk 


Scenarios can take the form of transparent and intuitive 
narratives. 


Unfolding scenarios can become complex with many choices. 


Challenges firms to imagine the worst and gauge the effects 


Can allow firms to focus on their key exposures, key risk types, 
and the ways in which risk develops over time 


Allows firms to identify warning signals and build contingency 
plans 


Firms may not stretch their imaginations (e.g., scenarios might 
underestimate the impact of an extreme loss event or omit 
important risk exposures). 


Only a limited number of scenarios can be fully developed—are 
they the right ones? 


Are they the right warnings and plans, given the scenario selec- 
tion challenge? 


Does not depend on historical data; can be based around 
either historical events or forward-looking hypothetical events 


The scenarios chosen are often prompted by the last major 
crisis; imaginative future scenarios may be dismissed as 
improbable. 


Firms can make scenario analysis as sophisticated or straightfor- 
ward as they like, outside regulator defined programs. 


Scenario analyses vary in terms of quality and sophistication. 
Their credibility and assumptions can be difficult to assess. 


Stress test results can influence risk appetite, risk limits, and 
capital adequacy. 


Usefulness depends on accuracy, comprehensiveness, and the 
forward-looking qualities of the firm's stress test program. 


history suggests this weight lessens as memories of the last 
crisis fade into the past. 


5. Curse of data: In the years ahead, firms will be able to 
gather massive amounts of data about risk culture from sur- 
vey/focus group evidence, risk culture indicator scores, and 
human resources data (e.g., the number of sick days? 
taken). They can then combine this data with a wider set of 
risk data to spot patterns. However, managers may need to 
deploy machine learning technologies to hunt down 
insights and warning signs in such large data sets. 


8.6 SCENARIO ANALYSIS: ERM’S 
SHARPEST BLADE? 


Sensitivity testing involves changing one parameter or variable 
in a risk model to see how sensitive the model result is to the 
alteration (and thereby identifying key variables). On the other 
hand, stress testing includes changing one or more key variables 
to explore risk model results under stressful conditions. 


Scenario analysis involves imagining a whole scenario, develop- 
ing a coherent narrative that explains why the variables change, 
and assessing the effects of this on the firm’s risk portfolios. 


28 "Sick days” or “sick leave” is time off from work that employees can 
utilized to address illness or various health issues without losing pay. 


While scenario analysis may be entirely qualitative, firms are 
building increasingly sophisticated quantitative models to 
assess the impact of each scenario on their portfolios and 
businesses. 


Scenario analysis, along with stress and sensitivity testing, have 
risen to become the preeminent risk identification tools for 
many ERM programs. This is a result of the weaknesses in prob- 
abilistic risk metrics (e.g., VaR) that were revealed by the global 
financial crisis of 2007-2008.7? 


When markets begin to behave abnormally, risk factor relation- 
ships break down to produce market movements and loss levels 
that seem inconceivable based on VaR calculations, For exam- 
ple, amid market turmoil in August 2007, Goldman Sachs’ chief 
financial officer David Viniar said that his firm was “seeing things 
that were 25-standard deviation moves, several days in a row.”°° 


This is where scenario analysis comes in. It helps firms think 
through the enterprise impact of abnormal events and events 
for which there is no historical data. But it also has its own set of 
advantages and disadvantages (Table 8.5). 


29 See Chapter 1. Moreover, unlike most scenario analysis, it can be dif- 
ficult to understand why the VaR calculation comes up with a particular 
VaR number. 


30 P T, Larsen, “Goldman Pays the Price of Being Big,” August 13, 2007, 
available at: https://www.ft.com/content/d2121cb6-49cb-11dc-9ffe-000 
0779fd2ac 
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LEIJCE:XJ Historical Credit Scenarios—Examples 


Historical Credit Scenarios—Examples 


1997—Asian crisis 
1998—Russian debt moratorium 
2001—9/11 market effects 
2007—US subprime debt crisis 


2008—Lehman Brothers counterparty crisis 


2010—European sovereign debt crisis 


Scenario Analysis Before the Global 
Financial Crisis 


Scenario analysis has been a significant risk management tool 
in banking since well before the global financial crisis. Pre-crisis, 
banks tended to pick their own short selection of historical and 
hypothetical scenarios from a list of events (e.g., those listed in 
Table 8.6) to run against their portfolios. 


Judgments are inevitable when building scenarios. For each his- 
torical scenario, the bank considers which key variables to apply 
to its own current portfolios and how far to pursue the narrative. 
For example, should a simulation of the 1998 Russian debt 
default event (noted in Table 8.6) also include the related near- 
collapse of Long-Term Capital Management?>! 


After the crisis, it became apparent that banks often failed 

to consider factors such as the cumulative exposures across 
multiple business lines, how different risks interacted with one 
another, and how the behavior of market participants might 
change under stress. Regulators also pointed to the mildness of 
many of the hypothetical scenarios. 


Post-Crisis Trends in Scenario Building 


Since the global financial crisis, regulators around the world? 
have begun to insist that larger, systemically important banks 
demonstrate that they can withstand more severe, dynamic, and 
realistic scenarios. Regulators in the United States, for example, 
oblige larger banks to apply regulator-defined macroeconomic 
stress scenarios—specified in terms of variables such as drops in 
GDP, employment, equity markets, and housing prices—across 
their enterprise exposures. 


31 As well as credit scenarios, banks develop scenarios that demonstrate 
risk across interest rate, equity, foreign exchange, and commodity mar- 
kets as well as key operational risk events such as cyber attacks, natural 
catastrophes, or even the effects of a flu pandemic. 


32 For example, the U.S. Federal Reserve and the Bank of England. 


The US stress tests began with an initial Supervisory Capital 
Assessment Program (SCAP), which was conducted in May 2009 
as part of the healing process toward the end of the global 
financial crisis.” The results from SCAP helped reassure markets 
about the stability of the banking system. From 2011 onward, as 
part of the Dodd-Frank Act, the Federal Reserve began con- 
ducting two separate annual stress test exercises: 


e Dodd-Frank Act stress tests (DFAST), which are conducted in 
the middle of the year for all banks with assets above USD 10 
billion; and 

e Comprehensive Capital Analysis and Reviews (CCAR), which 
are conducted at the end of the year for banks with assets 
above USD 50 billion.*+ 


DFAST and CCAR apply the same supervisor-devised scenarios. 
However, DFAST is more prescriptive, applies more limited capi- 
tal action assumptions, and is less demanding in terms of report- 
ing. Both DFAST and CCAR also oblige banks to generate their 
own scenarios to complement the supervisory scenarios. 


The Federal Reserve generates three supervisor-devised mac- 
roeconomic scenarios, that are differentiated by what they are 
designed to mimic: 


e Baseline: Corresponds to the consensus forecast among 
major bank economists, 


e Adverse: A moderately declining economy, and 


e Severely Adverse: Severe, broad global recession/depression 
and an associated decline in demand for long-term fixed- 
income investment. 


CCAR obliges banks to project how these scenarios drive their 
income statements and balance sheets over a nine-quarter horizon. 
This complex process requires the dynamic projection of revenues, 
provisions, credit losses related to defaults and downgrades, man- 
agement rules for new loan issuances, regulatory ratios, and so on. 
CCAR firms must also submit detailed capital plans that include: 


e Assessments of expected sourcing and use of capital over 
the planning horizon, 


33 Macroeconomic stress testing first tended to focus on market and 
credit risk impacts. Banks and other financial institutions are now also 
often expected to conduct liquidity stress testing and to meet key stan- 
dards (e.g., the Basel III liquidity coverage ratio). 


34 More precisely CCAR is mandatory for firms designated as either sub- 
ject to Large Institution Supervision Coordinating Committee Oversight 
(selected based upon the Fed's judgement that such firms potentially 
pose “elevated risks” to the US banking system) or “large and complex” 
firms—the latter defined as (per the US code of Federal Regulations, part 
225 section 8) firms that ” (1) have USD 250 billion or more in total con- 
solidated assets, (2) have average total nonbank assets of USD 75 billion 
or more, or (3) are U.S. global systemically important bank holding com- 
panies.” Altogether, 18 firms participated in the 2018 CCAR exercise. 
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e Descriptions of the firm's process and methodology to gauge 
capital adequacy, 


e Capital policy, and 
e Discussions of any expected business plan changes that are 
likely to materially impact capital adequacy/liquidity. 


For each scenario, banks must show that they maintain minimum 
capital ratios (Figure 8.5), how they will raise capital if necessary, 
and their intentions in terms of dividend distribution, share buy- 
backs, and so forth. For example, one way to hedge potential 
capital shortages over the planning horizon is to issue contin- 
gent convertible bonds (CoCos), which are described in detail in 
Box 8.2. 


e Common equity Tier 1 capital ratio: 4.5% 
e Tier 1 risk-based capital ratio: 6% 

Total risk-based capital ratio: 8% 

Tier 1 leverage ratio: 4% 


GMA Minimum capital ratios (2018). 


Source: Federal Deposit Insurance Corporation. Regulatory Capital 
Rules: Regulatory Capital, Implementation of Basel III, Capital Adequacy, 
Transition Provisions, Prompt Corrective Action, Standardized Approach 
for Risk weighted Assets, Market Discipline and Disclosure Require- 
ments, Advanced Approaches Risk-Based Capital Rule, and Market Risk 
Capital Rule. 


BOX 8.2 WHERE DOES ERM END 
AND CAPITAL PLANNING BEGIN? 


This can be a difficult line to draw, as illustrated by contin- 
gent convertible bonds (CoCos). 


CoCos are bonds issued by a financial institution that are writ- 
ten down or convert into common equity if the firm gets into 
trouble. The idea is that CoCos ease the bank's obligations 
and cash outflows when it is in a tight spot. Most existing 
CoCos focus on accounting triggers (e.g., the level of Tier 1 
capital). However, the trigger mechanism could also be some 
market-based event (e.g., a drop in an institution's share price). 


Since the global financial crisis of 2007-2009, regulators 
have favored CoCos as a shock-absorbing funding instru- 
ment. Note that CoCos are effectively a form of insurance 
(i.e., ERM risk transfer) that can be triggered by a multi- 
plicity of underlying risk events (e.g., credit, operational, 
and systemic risks). Furthermore, because CoCos become 
less valuable after a major shock, they can help banks 
structure risk-sensitive bonuses that increase executive 
exposure to the downside and therefore potentially lead 
to an improvement in risk culture. One great advantage of 
this kind of enterprise risk transfer is that the source of the 
risk does not need to be defined in advance. 


1. CCAR macroeconomic scenarios unfold over several 
quarters (rather than being simply point-in-time shocks). 


2. The scenarios drive a series of interlinked factors cov- 
ering a variety of risks (e.g., credit risk, market risk, 
and operational risk). 


3. The risk variables are not held static. Therefore, all 
sorts of underlying risk factors (e.g., probability of 
default and loss given default) and market impacts 
(e.g., credit spreads and margining) need to be 
adjusted as the scenario unfolds. 


4. In turn, banks can allow for their capital planning as 
the scenario unfolds. 


5. Importantly, imposing a standard set of scenarios on 
the largest banks allows regulators to see systemic 
effects and compare bank risk exposures. 


Five key improvements driven by CCAR. 


If a bank cannot show it satisfies minimum capital ratios under 
stressed conditions, it must review the business plans of its vari- 
ous units and lower its risk appetite. 


The complexity of the CCAR exercise dwarfs most banks’ his- 
toric stress testing programs. In the 2018 exercise, for example, 
the 28 variables used by the regulators to describe the three 
scenarios included changes in gross domestic product, the 
unemployment rate, housing and commercial real estate price 
indices, stock market volatility (i.e., the VIX), and various interest 
rate measures (e.g., the three-month Treasury bill rate and BBB 
corporate bond yields).*> 


For each scenario, banks project the behavior of all risk factors 
affecting their portfolios over a nine-quarter horizon. These 
additional risk factors (e.g., the slope of the interest-rate term 
structure and commodity prices) can number in the hundreds! 


It has not been easy for banks in the United States to build 
scenario analysis programs that meet supervisor objectives. 
However, the exercises have driven five key ERM improvements 
(outlined in Figure 8.6). From a regulatory point of view, reac- 
tions to each scenario can now be assessed at an industry level 
to improve the stability of the financial system. 


CCAR has also transformed internal bank-driven stress test- 
ing. Specifically, banks have had to invest in building an 


35 Federal Reserve, “2018 Supervisory Scenarios for Annual Stress Tests 
Required under the Dodd-Frank Act Stress Testing Rules and the Capital 
Plan Rule,” February 2018: https://www.federalreserve.gov/newsevents/ 
pressreleases/files/bcreg20180201a1.pdf 
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infrastructure to generate dynamic projections (e.g., revenue, 
income, losses from defaults) and to track changes in their bal- 
ance sheets, key capital ratios, and liquidity ratios. Critically, 
these exercises have obliged banks to bring many business 
functions together to discuss and enable the implementation of 
these tests (which is a key ERM exercise in itself). 


Stress Testing in Europe: Future 
Directions 


Regulators around the world have also developed their own 
stress testing programs. Some, such as the European Banking 
Authority (EBA), have seen less immediate success than the 
authorities in the United States.°¢ Compared to the CCAR, the 
EBA’s testing program is more static, less sophisticated, and 
allows for less latitude in terms of altering risk and business 
strategies as scenarios unfold. This is because the EBA applies 
stress tests to a wider range of banks than CCAR. 


The big improvements in European stress testing may be 

driven not by the EBA’s supervisor-led stress tests, but by new 
approaches to bank supervision under the European Central 
Bank's Supervisory Review and Evaluation Process (SREP). These 
new approaches will examine how banks explore the sustain- 
ability of their business models under stress, including capital and 
liquidity adequacy, using industry best practices as a guide. Stress 
testing and scenario analysis will be key tools in this process. 


In the years ahead, banks are likely to move away from a lim- 
ited number of rather deterministic scenario tests toward a 
much more dynamic-stochastic approach. This approach will 
apply simulation techniques to explore many different scenarios 
playing out over time, including macroeconomic and geopoliti- 
cal shocks. 


For example, we can imagine a bank setting out its own core 
range of macro/geopolitical shocks (e.g., a sharp slowdown in 
the Chinese economy or a fall in oil prices). These shocks act 
on risk drivers such as interest rates and credit default swap 
(CDS) spreads. 


The relationship between the scenario and the risk factors can 
be specified in a variety of ways. For example, the relationship 
between a shock to oil prices (part of the scenario) and GDP 
growth rate (a risk factor) might be based on the judgment of 
business leaders or on statistical analysis of the historical record. 


Generating thousands of scenarios will allow each bank to pro- 
duce a full distribution of outcomes for key performance indica- 
tors (KPIs) such as expected profits, regulatory capital, RWAs, 


36 The first 2010 stress tests were much criticized. 


and credit losses. For some purposes, a bank might focus on 
the average outcome across the simulations (perhaps taken to 
be the base case scenario). Meanwhile, others might focus on 
the worst or very worst outcomes (i.e., adverse and severely 
adverse scenarios). 


These simulation results also help banks to conduct reverse stress 
testing. Specifically, they can identify the full range of worst out- 
comes (i.e., the tail of the distribution) in terms of bank KPIs. Then 
they can look at the scenarios that gave rise to these worst-case 
tail risks and how the shocks turned into losses. This process shines 
a light on the business lines and portfolios that contribute to a 
worst-case loss and highlights the risk factors that matter most. 


A firm can also identify the worst business environments for 
specific business lines and look at the sensitivity of various KPls 
(e.g., loan losses) to the family of risk drivers. 


Many banks around the world continue to regard stress testing 
as a largely regulatory compliance function. They do not use the 
results in their day-to-day planning processes. 


However, a new generation of stress testing technologies offers 
banks advantages beyond compliance. Specifically, they can use 
the results to: 


e Specify their risk appetites and limit frameworks, 


e Perform a “reasonableness check” on business and capital 
planning, 


e Develop early warning signals, and 


e Put in place contingencies to manage credit, funding, and 
liquidity shocks. 


8.7 ERM AND STRATEGIC DECISIONS 


Enterprise risk managers need to be involved in strategy formu- 
lation. The banking industry can provide many examples where 
business strategies (e.g., increased lending volume through low- 
ered standards or rapid growth through successive acquisitions) 
did not take ERM into account. 


The latest industry thinking encourages firms to apply ERM to 
forge a stronger link between risk and reward in corporate plan- 
ning and strategy.’ 


The latest stochastic stress testing techniques offer a practi- 

cal tool for thinking through a strategy’s ERM implications. For 
example, a bank can explore the risk effects of growing a port- 
folio of lending to a given industry sector. The bank could learn 


37 “COSO Enterprise Risk Management: Integrating with Strategy and 
Performance,” June 2017, section 3, pp. 13-16. 
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that the plan helps to diversify its risk and absorb shocks. Alter- 
natively, the strategy may add to risk concentrations or increase 
dependence on a key macroeconomic driver. 


Meanwhile, scenario simulation technology makes it poten- 
tially much easier to explore positive scenarios. For example, 

a bank may find that it would benefit from a decline in oil 
prices because it had previously reduced lending to oil produc- 
ers in favor of manufacturers who stand to benefit from lower 
input costs. 


In this way, macroeconomic stress test results are set to become 
part of general business planning activities (e.g., growth plans, 
strategic risk management, and balance sheet and capital man- 
agement). But could new approaches to ERM help shape other 
kinds of strategic decisions? 


Macroeconomic factors are not the only drivers of strategic risk. 
Banks, and all kinds of firms, need to assess strategic risks aris- 
ing from changes in factors such as technology, social behavior, 
and new kinds of competition. These kinds of strategic risk are 
very challenging because, by definition, they do not have histori- 
cal parallels (as opposed to something like a fall in GDP). 


However, new approaches to scenario building could help. For 
example, they can offer firms a way to model the impact of 
strategic shocks across the corporate balance sheet and offer 
better ways to turn expert judgments into a rigorous scenario 
selection process. 


Strengthening a wider set of corporate strategic decisions is 
vitally important. A study examining loss of enterprise value in 
public companies in the United States between 2002 and 2012 
showed: “strategic blunders were the primary culprit a remark- 
able 81 percent of the time.”38 As destroyers of shareholder 
value, strategic errors far outranked the classic risk management 
problems (e.g., major operational mishaps, fraud, corporate 
governance failures) as well as external shocks (e.g., natural 
catastrophes and political and regulatory upheavals). 


8.8 CONCLUSION: RISK 
MANAGEMENT AND THE FUTURE 


Risk management is a relatively young discipline. Chapter 1 
noted that the global financial crisis of 2007-2009 had acceler- 
ated recognition by risk managers of the multi-dimensional 
nature of risk, the connections between risk types, and (espe- 
cially) the need to integrate the application of statistical science 


38 C, Dann et al., “The Lesson of Lost Value,” strategy + business, 
November 2012, available at: https://www.strategy-business.com/ 
article/00146?gko=f2c51 


with business judgment. These three themes also point to where 
risk management is heading in the future. 


1. Risk is multidimensional and requires holistic thinking 


Risk managers now recognize the need to deploy a range 
of risk metrics to capture the many dimensions of risk. So 
far, the key advance has been in developing new forms of 
scenario analysis and stress testing to supplement summary 
statistics (e.g., VaR). 


However, scenario analysis has its own deficiencies. In the 
future, there will be more emphasis on overcoming these 
shortcomings through the development of better simulation 
technologies and more rigorous scenario selection meth- 
odologies. Future stress testing will also be more dynamic, 
stretching over periods of one to three years, and it will 

be incorporated into a firm's capital planning process. The 
results will help determine risk appetite and ensure that 
business models are sustainable and can survive severely 
adverse scenarios. 


Holistic thinking on risk requires a sophisticated approach to 
uncertainty. Almost a century ago, economists explored 
whether risk and uncertainty are the same concept. The 
debate focused on how certain we can be about our statisti- 
cal estimators and predictive capabilities. New research is 
emerging on how we can measure uncertainty about the risk 
factors and probabilities that generate risk, a dimension 
researchers call ambiguity.°? Decision makers may be averse 
to ambiguity when they expect good returns and therefore 
demand a premium—potentially measurable in the financial 
markets—for accepting ambiguous risks.“ Into the future, a 
more rigorous approach to characterizing statistical risk, 
uncertainty, and ambiguity (and measuring their effects) 
should improve decision making right up to board level. 


Moving to a more holistic approach has also led banks to 
embrace the importance of risk culture. The way an institu- 
tion thinks and talks about risk drives enterprise behavior. It 
also affects how the results of enterprise-wide stress testing 
are interpreted at the board level, including whether a bank 
is capable of “thinking the unthinkable” and dealing ratio- 
nally with ambiguous decisions. 


39 For example, see M. Brenner and Y. Izhakian, “Asset Pricing and 
Ambiguity: Empirical Evidence,” Journal of Financial Economics, 130, 
2018, 503-531. For a more general introduction to this research area 
see J. Etner et al., "Decision Theory Under Uncertainty,” Documents de 
Travail du Centre d'Economie de la Sorbonne, November 2009. 


40 Conversely, they might favor the ambiguity associated with estimates 
of losses. However, the empirical research into decisions under ambigu- 


ity is ongoing. 
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BOX 8.3 BEHAVIORAL CONCEPTS—A SELECTION* 


In recent decades, behavioral science has introduced many 
concepts that help explain why risk decisions may not 
always be rational and efficient. These concepts include the 
following. 


Anchoring and referencing: This is the use of mental reference 
points to contextualize a decision (e.g., such as using an existing 
price point to determine whether a new price point is attractive 
or not). The anchor may influence the decision-making process 
in an irrational way. Furthermore, the various reference points in 
a collection of related decisions may lack coherence. 


Feedback effects: The presence or absence of frequent, 
positive feedback can irrationally influence the ability of deci- 
sion makers to stick to a decision. 


Framing: How a choice is framed can push a decision maker 
toward one decision or another. For example, a consumer may 
be willing to hunt for a 50% savings on a phone case (saving 
themselves USD 10) but be unwilling to make the same effort 
to save the USD 10 when buying a USD 200 phone (because it 
represents a smaller percentage of the purchase price). 
Groupthink: This describes the tendency of individuals within 
groups to overcome their doubts about a risky decision (or 
keep quiet) in favor of the group consensus. The consensus 
may itself have been shaped by a dominant individual, poorly 
set targets, or selective reading of ambiguous evidence. 


Herding: Herding is the tendency of investors to copy the 
actions of others, both when investing and when reducing 
losses in a volatile market. Herding effects in risk management 
can lead to too many investors using the same risk metrics or 
setting the same stop-losses, leading to sharp market sell-offs. 


Home bias: This describes the tendency of investors to 
invest in domestic securities rather than building a globally 


Holistic thinking about risk and risk management is the way 
forward. It would be wrong, however, to set up a direct 
opposition between silo-based risk management and 
holistic ERM. The new emphasis on ERM supplements con- 
tinuing efforts to improve our quantitative, granular under- 
standing of specific risks. 


. Risk jumps across risk types in business models and 
markets 


Scenario stress testing is helping banks to understand how 
risk develops over an extended period (i.e., a year or more) 
while jumping across risk types. This kind of thinking must 
also be incorporated into business strategy formulation. 


Prior to the global financial crisis of 2007-2009, too many 
institutions pursued growth using business models based 
on high leverage or naive assumptions about the robustness 
of third-party credit assessments. Many times, growth plans 


diversified portfolio, perhaps because of the uncertainties 
attached to foreign markets. 


Loss aversion: Experiments show that for most people the 
potential for losses outweighs potential gains of similar mag- 
nitude. This can lead a decision maker to favor a result that 

is presented as certain, while foregoing the chance of larger 
but riskier wins. Loss aversion does not always lead to conser- 
vative risk decisions. It can also encourage decision makers 
to take irrationally risky decisions to preserve some chance of 
avoiding a loss. (Whether a decision is framed as a loss or as 
a potential gain is also therefore important.) 


Mental accounting: People seem to account for money 
within separate categories that are treated differently, as 
if the money was not completely fungible across accounts. 
For example, consumers might spend more if they use a 
credit card compared to using cash. Investors might invest 
the money from an inheritance differently than money from 
a gambling win. They may also be reluctant to “close” a 
mental account if it involves declaring a loss or mistake. 
Loss aversion and other behavioral phenomena, such as 
the treatment of “sunk” costs, often further distort mental 
accounting. 


Ostrich effect: This describes the irrational tendency to 
avoid observing bad news that might precipitate uncomfort- 
able decisions or actions. For example, an investor might 
pay more attention to booming stock markets than flat or 
falling markets. (Conversely, an investor that pays too much 
attention to each individual loss can suffer from irrational 
loss aversion.) 


*Many of these points are covered in more detail in R. H. Thaler, 
“Mental Accounting Matters,” Journal of Behavioral Decision 
Making, 12: 1999, 183-206. 


were formulated without input from the risk function or the 
chief risk officer. The future risk function must play a criti- 
cal role in setting a firm’s risk appetite, analyzing the risks 
of each business model (often with the help of worst-case 
scenario simulations), explaining how risks may interact, 
and planning for contingencies. Firms need to decide in 
advance on the key warning indicators and the actions that 
will then be considered. 


This may prove particularly important with the growth of 
digital businesses that are driven by machine learning and 
new data streams, or those using cognitive technologies to 
offer risk-related services to customers. 


3. Numbers and judgment 


The revolution in computing power and data science, seen 
through the rise of cloud-based on-demand analytical 
resources and machine learning technologies, seems likely 


118 M Financial Risk Manager Exam Part I: Foundations of Risk Management 


to transform risk analysis. For the moment, progress seems 
relatively slow compared to the customer-facing digital rev- 
olution. However, that is partly a function of legacy systems 
and the difficulty in changing the ways of doing things. In 
the years ahead, risk managers will be able to command 
new streams of integrated enterprise data and use machine 
learning technologies to identify patterns and correla- 
tions in large diverse bodies of data that presently seem 
intractable. It will also become easier to collect information 
live during business processes, improving vigilance and 
predictive analytics (as well as classic risk models). The key 
challenge here will be to keep the risk decisions transpar- 
ent, even when they are largely automated, and subject to 
human review. Without this transparency, machine learning 
and automated decision making simply offer a pumped-up 
version of model risk. 


Meanwhile, behavioral science, a relatively new field, 
has begun to explain why investors (and risk managers) 


sometimes deviate from the seemingly rational decisions 
assumed by traditional economists. Its findings include the 
herding effect (where investors seem to follow each other 
like a herd of sheep) and home bias (where investors prefer 
investing in their home country rather than building diver- 
sified global portfolios) (See Box 8.3). These phenomena 
need to be incorporated more rigorously into risk manage- 
ment, alongside a better understanding of how people 
react to risk events. 


It follows that the risk managers of the future will operate at the 
intersection of risk, data science, new understandings of human 
behavior, and business judgment. Risk managers will need to 
think holistically and apply new approaches to shape their firm's 
business strategy. They will also need to make sure their firms 
react to risk signals even when the signals are ambiguous and 
the risk metrics uncertain. This implies a need for many new 
skills and capabilities, alongside a new standing within enter- 
prises. It is an exciting, if sometimes daunting, vision. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


8.1 


8.2 


8.3 


8.4 


8.5 
8.6 
8.7 


8.9 


8.10 
8.11 
8.12 
8.13 


8.14 


8.15 


What are advantages and disadvantages of scenario 
analysis? 


What are three types of US Federal Reserve generated 
supervisory devised macroeconomic scenarios? 

What is CCAR (Comprehensive Capital Analysis and 
Review)? 

What are some of the key improvements driven by CCAR 
over standard stress testing? 

What are contingent convertible bonds (CoCos)? 


Define what is meant by risk culture? 


Provide examples of key benefits of enterprise risk man- 
agement (ERM). 


Provide examples of the kinds of concentration risk that 
can creep across enterprises. 


Provide examples that compare ERM with traditional silo- 
based risk management. 


Provide examples of ERM dimensions. 
Provide examples of key risk culture indicators (KRCls). 
Provide examples of external risk culture drivers. 
Define and explain each of the following terms: 

e Anchoring and referencing 

e Feedback effects. 

e Framing 

e Groupthink 

e Herding 

e Home bias 

e Loss aversion 

e Mental accounting 

e Ostrich effect 


Risk that looks threatening at the business line level might 
look trivial in the context of the diversified enterprise risk 
portfolio, 

A. True 

B. False 


Risk retention decisions are best made at the enterprise 
level, where the aggregate level of risk exposure can be 
understood. 

A. True 

B. False 


8.16 


8.17 


8.18 


8.19 


8.20 


8.21 


8.22 


8.23 


8.24 


CCAR does not oblige banks to generate their own sce- 
narios to complement the supervisory scenarios. 

A. True 

B. False 


For each scenario, Banks project CCAR scenarios over a 
five-quarter horizon. 

A. True 

B. False 


CoCos focus solely on accounting triggers, such as the 
level of Tier 1 capital. 

A. True 

B. False 


Reverse stress testing calls for identifying the full range of 
“worst outcomes” then picking the scenarios that gave rise to 
these worst tail risks and how the shocks turned into losses. 
A. True 

B. False 


Northern Rock was the victim of poor trading liquidity risk 
management. 

A. True 

B. False 


The ostrich effect describes the tendency of investors to 
invest in domestic securities. 

A. True 

B. False 


CCAR is 

A. requiring all banks to engage in sensitivity testing. 

B. required of all relevant banks over an asset threshold. 

C. requiring all commercial banks to perform scenario 
analysis. 

D. relevant to investment banks only. 


ERM looks at an integrated view of 

A. market and credit risks only. 

B. all the risks covered by Basel Ill. 

C. all the risks, including business risk, strategic risk, and 
liquidity risk. 

External risk culture drivers include 

A. economic cycles. 

B. industry practices. 

C. professional standards. 

D. regulatory standards. 

E. country risk. 

F. all of the above. 

G. none of the above. 
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ANSWERS 


8.1 


8.2 


8.3 


8.4 


See Table 8.5 for a list of the advantages and 
disadvantages. 


1. Baseline: representing a consensus economic forecast/ 
outlook; 

2. Adverse: corresponding to a declining economy; and 

3. Severely Adverse: severe global recession along with 
decline in demand for long-term fixed income assets. 


Note: The adverse and severely adverse scenarios 
describe hypothetical macroeconomic environments that 
test bank resilience. 


From 2011 onward, as part of the Dodd-Frank Act, the 
Federal Reserve began conducting annual stress test 
exercises. CCAR is a specific an annual stress test exer- 
cise required for large banks. 


1. CCAR macroeconomic scenarios unfold over several 
quarters (rather than simply a point-in-time shock). 

2. The scenarios drive a series of interlinked factors cov- 
ering a variety of risks such as credit risk, market risk, 
operational risk, and so on. 

3. The risk variables are not held static and all sorts of 
underlying risk factors (probability of default, loss given 
default) and market impacts (credit spreads, margining, 
etc.) need to be adjusted as the scenario unfolds. 


4. In turn, the bank can allow for its capital planning as 


8.5 


8.6 


8.7 


the scenario unfolds. 

5. Importantly, imposing a standard set of scenarios on 
the largest banks allows regulators to see systemic 
effects and compare bank risk exposures. 


CoCos are bonds issued by a financial institution that are 
written down or convert into common equity if the firm 
gets into a precarious position. 


Risk culture can be thought of as the values and norms of 
behavior that surround risk taking and risk management. 
It includes the tendency within the firm to comply with 
best-practice risk management. 


e Identifies enterprise-scale risks generated at business 
line level 


e Focuses oversight on most threatening risks 


8.9 


8.10 
8.11 
8.12 


8.13 
8.14 


8.15 


e Manages: 


e Risk concentrations across the enterprise, and 
e Emerging enterprise risks (e.g., cyber risk) 

e Supports regulatory compliance and stakeholder 
reassurance 


e Helps firms to understand risk-type correlations and 
cross-over risks 


e Optimizes risk transfer expenses in line with risk scale 
and total cost 


e Incorporates: 


e Stress scenario capital costs into pricing, and 
e Risk into business model selection and strategic 
decisions. 


e Geographical concentrations, 
e Industry concentrations, 

e Product concentrations, and 
e Supplier concentrations 


See Table 8.1: ERM versus traditional silo-based risk 
management. 


See Table 8.2 
See Table 8.3 


e Economic cycles (e.g., credit cycles), 

e Industry practices/guidelines, 

e Professional standards, 

e Regulatory standards, and 

e Country risk/corruption indices 

See Box 8.3. 

True 

Diversification at the enterprise level can reduce overall 


risk so long as the constituent pieces are not strongly 
correlated. 


True 


Otherwise situations could arise where business lines 
are offsetting risks that might already be offset by other 
businesses. 
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8.16 


8.17 


8.18 


8.19 


8.20 


False 


Both DFAST and CCAR also oblige banks to gener- 
ate their own scenarios to complement the supervisory 
scenarios. 


False 


CCAR obliges banks to project how these scenarios drive 
their income statements and balance sheets over a nine- 
quarter horizon. 


False 


The trigger mechanism could also be some market-based 
event (e.g., a drop in an institution's share price). 


True 


The purpose of reverse stress testing is to force manage- 
ment to visual potential scenarios that could generate 
critical levels of losses. 

False 


The Northern Rock collapse arose from a failure to man- 
age funding liquidity risk. 


8.21 


8.22 


8.23 


8.24 


False 


It describes the irrational tendency to avoid observing 
bad news that might precipitate uncomfortable decisions 
or actions. 


B. required of all relevant banks over an asset threshold. 


CCAR is conducted at the end of the year for banks with 
assets above USD 50 billion. 

C. all the risks, including business risk, strategic risk, and 
liquidity risk. 

Enterprise risk management (ERM) applies the perspec- 
tive and resources at the top of the enterprise to manage 
the entire portfolio of risks and account for them in stra- 
tegic decisions. 


A. all of the above 
See Table 8.4. 
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Learning from 
Financial Disasters 


E Learning Objectives 


After completing this reading you should be able to: 


® Analyze the key factors that led to and derive the lessons 


learned from case studies involving the following risk factors: 


Interest rate risk, including the 1980s savings and loan 
crisis in the US. 

Funding liquidity risk, including Lehman Brothers, 
Continental Illinois, and Northern Rock. 

Implementing hedging strategies, including the 
Metallgesellschaft case. 

Model risk, including the Niederhoffer case, Long Term 
Capital Management, and the London Whale case. 


Rogue trading and misleading reporting, including the 
Barings case. 

Financial engineering and complex derivatives, includ- 
ing Bankers Trust, the Orange County case, and 
Sachsen Landesbank. 

Reputational risk, including the Volkswagen case. 
Corporate governance, including the Enron case. 
Cyber risk, including the SWIFT case. 
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This chapter briefly examines case studies of famous financial 
disasters. The purpose of these case studies is to show how 
various risk factors can materialize and, when ignored, escalate 
into major disasters. These cases are classified by the risk factors 
involved. In each case, however, multiple risk factors simultane- 
ously caused and exacerbated the crisis, leading to major losses. 


The first section focuses on how interest rate risk led to the U.S. 
savings and loan (S&L) crisis in the mid-1980s. Section 9.2 ana- 
lyzes a couple of cases involving funding liquidity risk. Sections 9.3 
and 9.4 cover strategic risk and model risk, respectively. 


Rogue trading, discussed in Section 9.5, can cause major financial 
institutions to collapse (as seen in the case of Barings Bank). Sec- 
tion 9.6 deals with the hidden risks of financial engineering and the 
complexity of financial structures. Section 9.7 illustrates the dam- 
ages that can arise from reputation risk, and Section 9.8 focuses on 
one of the most notorious cases of corporate governance failure 
(i.e., Enron). Finally, cyber risk is discussed in Section 9.9. 


9.1 INTEREST RATE RISK 


Over the last century, interest rate risk has caused the failure 

of individual firms as well as entire industries within the financial 
services sector. One notable example can be found in the col- 
lapse of the U.S. S&L industry in the 1980s. 


To mitigate interest rate risk, firms must manage their balance 
sheet structure such that the effect of any interest rate move- 
ment on assets remains highly correlated with the effect on 
liabilities. This must be the case even in volatile interest rate 
environments. Such a correlation can be partially achieved using 
classical duration matching tools. More sophisticated meth- 
ods involve the use of interest rate derivative products such as 
futures, forwards, swaps, caps, and floors. 


The Savings and Loan Crisis 


The U.S. S&L industry prospered throughout most of the 
twentieth century thanks to regulations governing interest paid 
on deposits (i.e., Regulation Q)' and an upward-sloping yield 
curve. In particular, the upward-sloping yield curve meant that the 
interest rate borrowers paid on a ten-year residential mortgage (a 


1 From 1933 until 2011, Regulation Q restricted interest payments on 
deposit accounts. For example, banks were not permitted to pay inter- 

est on demand deposits. These restrictions were phased in three stages. 
From 1933 through 1965, the ceilings constrained the interest rates paid by 
most commercial banks. From 1966 through 1979, commercial banks and 
thrifts were constrained on the rates that they paid on at least some of their 
deposit liabilities. The Monetary Control Act (MUA) of 1980 established 
the Depository Institutions Deregulation Committee, which phased out the 
regulation of rates over the six-year period from 1980 to 1986. 


typical product offered by S&Ls) exceeded the rates on the short- 
maturity savings and time deposits that were an S&L's main 
source of funding. The mortgage design at the time was a fixed- 
rate mortgage. For example, an S&L would originate a 30-year 
fixed rate mortgage and retain it in its investment portfolio while 
borrowing funds on a short-term basis (i.e., a classic example of 
lending long and borrowing short). In the banking industry's 
vocabulary, S&Ls were simply “riding the yield curve” and earning 
a positive spread between their lending and borrowing rates. 


However, rising inflation in the late 1970s prompted the Fed to 
implement a restrictive monetary policy, which led to a significant 
increase in short-term interest rates. The regulation that restricted 
the ceiling on what S&L’s paid on their deposits was removed, 
forcing S&Ls to compete for funds with the newly created money 
market fund industry by paying market interest rates. The result- 
ing increase in short-term rates pushed up funding costs for S&Ls, 
wiping out the interest rate spread they depended on for their 
profit margin. The spike in their short-term funding costs (which 
were needed to finance long-term fixed-interest rate mortgages) 
meant that S&Ls generated negative net interest margins on 
many of their long-term residential mortgage portfolios. 


The failure of the S&Ls to manage their interest rate risk helped 
to spark a long-running crisis in the United States, which gath- 
ered force through the 1980s as S&Ls desperately sought to 
repair their balance sheets with new business activities and 
higher-margin (but riskier) lending. However, these efforts 
resulted in the industry losing even more money through poorly 
controlled credit and business risks. Between 1986 and 1995, 
1,043 out of 3,234 S&Ls in the United States failed or were taken 
over. The number of remaining S&Ls eventually fell to fewer than 
2,200 and the crisis necessitated what was (at the time) one of 
the world’s most expensive banking system bailouts: USD 160 
billion. This bailout was funded by the American taxpayers. 


It was during this period that S&Ls learned to manage their expo- 
sure to interest rate risk (as well as credit risk) from their mortgage 
portfolios by issuing mortgage-backed securities. These products, 
first issued in 1969 and backed by government agencies, did not 
eliminate the problem of borrowing short and lending long. How- 
ever, they did provide liquidity for S&L mortgage portfolios. 


9.2 FUNDING LIQUIDITY RISK 


Funding liquidity risk can stem from external market conditions 
(e.g., during a financial crisis) or from structural problems within 
a bank's balance sheet. Most often, however, it stems from a 
combination of both. The collapse of Bear Stearns and Lehman 
Brothers at the height of the 2007-2009 financial crisis, along 
with the collapse of Long Term Capital Management (LTCM) a 
decade earlier, offer examples of funding liquidity crises that 
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were prompted by unexpected external conditions and exposed 
vulnerabilities inherent in the institutions’ business models. 


Liquidity Crisis at Lehman Brothers 


During the late 1990s and early 2000s, investment bank Lehman 
Brothers invested heavily in the securitized U.S. real estate mar- 
ket. The 150-year-old institution pioneered an integrated busi- 
ness model in which it sold mortgages to residential customers,” 
turned portfolios of these loans into highly rated securities, and 
then sold these securities to investors. Unlike securities backed 
by government-backed and prime mortgage loans, these securi- 


ties were often backed by subprime mortgage loans. 


The real estate market in the United States started to sour in 
2006 and housing prices started falling following a long boom. 
During this time, however, Lehman continued to build up its real 
estate securitization business. Critically, the bank also continued 
to increase the amount of mortgage-related assets it held as 
longer-term investments for its own account (rather than simply 
acting as a middleman during the securitization process). 


As part of this aggressive growth strategy, Lehman also began to 
make outsized bets on U.S. commercial real estate. But if the firm's 
business model came to look like a risky bet on the U.S. housing 
market, it was ultimately Lehman's leverage ratio and funding strat- 
egy that threatened to turn this investment position into a disaster. 


Banks are naturally highly leveraged entities (i.e., they take on a 
large amount of debt rather than issue equity to fund their activi- 
ties). In the run up to the crisis, however, Lehman (like other 
investment banks in the boom years) pursued leverage to excess. 
By 2007, the bank had an assets-to-equity ratio of approximately 
31:1, Meanwhile, the bank's funding strategy (i.e., the way it bor- 
rowed money to grow its operations) introduced a fatal element 
of fragility. Specifically, Lehman began borrowing huge amounts 
of money on a short-term basis (e.g., borrowing daily from the 
repo markets) to fund relatively illiquid long-term real estate 
assets. This meant that the firm had to depend heavily on the 
confidence of its funders and counterparties if it was to continue 
to borrow the funds necessary to stay in business.* 


2 To this end, in the early years of the millennium, Lehman had acquired 
several mortgage lenders, including subprime lender BNC Mortgage. 


3 “Mortgage-related assets on Lehman's books increased from USD 67 
billion in 2006 to USD 111 billion in 2007, ” The Financial Crisis Inquiry 
Report, Financial Crisis Inquiry Commission, January 2011, p. 177. 


4 When investment banks came under close regulatory scrutiny in 
2007-2008, they found it tempting to play down their leverage: 
“According to the bankruptcy examiner, Lehman understated its lever- 
age through ‘Repo 105’ transactions—an accounting maneuver to 
temporarily remove assets from the balance sheet before each report- 
ing period.” The Financial Crisis Inquiry Report, Financial Crisis Inquiry 
Commission, January 2011, p. 177. 


During the second half of 2007, it became evident that the 

U.S. housing bubble had burst and that the subprime mortgage 
market was in deep trouble. As a result, confidence began to 
erode in firms heavily invested in subprime securities. In July 

of that year, Bear Stearns (another highly leveraged subprime- 
linked firm) had to support two of its hedge funds following 
steep losses caused by their subprime mortgage exposures. In 
March 2008, these weaknesses caused Bear Stearns to collapse 
after its repo lenders and bank counterparties lost confidence in 
the firm’s ability to repay its debts. J.P. Morgan then bought the 
fallen firm at a fraction of its prior market value. 


Next investors turned their attention to Lehman. Specifically, they 
began to question how accurately the firm had valued its real 
estate-based assets. Market confidence, so critical to the firm’s 
funding strategy (and therefore its liquidity), was ebbing fast. As 
the crisis mounted, many of Lehman's major counterparties began 
to demand more collateral for funding transactions, others began 
reducing their exposure, and some institutions simply refused to 
deal with the firm. Attempts to organize an industry rescue or to 
sell the firm to another large bank ultimately failed. In the early 
hours of September 15, 2008, Lehman Brothers was forced to file 
for bankruptcy, inciting months of panic and uncertainty in the 
global financial markets.° 


Liquidity Crisis at Continental Illinois 


The case of Continental Illinois Bank is an example of how inter- 
nal credit portfolio problems can precipitate a funding liquidity 
crisis. In this case, these problems were exacerbated by weak- 
nesses in the institution’s funding strategy. 


Continental Illinois was once the largest bank in Chicago. Start- 
ing in the late 1970s, the bank began pursuing an aggressive 
growth strategy that saw its commercial and industrial lending 
jump from USD 5 billion to over USD 14 billion in the five years 
prior to 1981. During that time, the bank's total assets grew 
from USD 21.5 billion to USD 45 billion. 


The first sign of Continental's problems surfaced with the closing 
of Oklahoma-based Penn Square Bank. This smaller bank had 
issued loans to oil and natural gas companies in Oklahoma during 
the boom of the late 1970s. If a loan was too large for it to ser- 
vice, Penn Square would pass it on to a larger institution such as 
Continental Illinois. But as oil and natural gas prices fell after 1981, 
some firms began to default on their debt. In 1982, Penn Square 
became insolvent and regulators stepped in to close the bank. 


By then, Continental held more than USD 1 billion in loans to 
Penn Square's oil and gas customers, and therefore suffered 
heavy losses as defaults rose. While many other banks also 


5 Report of Anton Valukas, “Examiner to the United States Bankruptcy 
Court, Re Lehman Brothers Holdings Inc.,” March 11, 2010. 
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suffered credit losses during this period, Continental was 
unusual in that it had only a tiny retail banking operation and a 
relatively small amount of core deposits. Therefore, it relied pri- 
marily on federal funds and floating large issues of certificates of 
deposit (CDs) to fund its lending business.® 


When Penn Square failed, Continental found itself increasingly 
unable to fund its operations from the U.S. markets. As a result, 
it began to raise money at much higher rates in foreign whole- 
sale money markets (e.g., Japan). But when rumors about Conti- 
nental’s worsening financial condition spooked the international 
markets in May 1984, the bank’s foreign investors quickly began 
to withdraw their deposited funds, Continental Illinois was con- 
fronted with a full-blown liquidity crisis as depositors withdrew 
USD 6 billion in only ten days. Regulatory authorities eventually 
stepped in to prevent a domino effect on other banks, which 
they feared might put the entire U.S. banking system at risk. 


Northern Rock—Liquidity 
and Business Models 


The 2007 failure of mortgage bank Northern Rock is a more 
recent illustration of liquidity risk arising from structural weak- 
nesses in a bank's business model. In this case, a combination of 
an excessive use of short-term financing for long-term assets 
and a sudden loss of market confidence triggered a funding 
liquidity crisis that rapidly led to disaster.” 


Northern Rock was a fast-growing medium-sized mortgage bank 
based in the United Kingdom. The bank had been growing 
assets at around 20% per year for several years by specializing in 
residential mortgages, and it continued to expand aggressively 
in the marketplace into the first quarter of 2007. The bank's rate 
of growth was supported by a business model and funding strat- 
egy that was unusual among U.K. banks. Specifically, the bank 
relied on an originate-to-distribute approach,® by which it raised 
money through securitizing mortgages, selling covered bonds, 
and making use of the wholesale funding markets. As a result, 
Northern Rock relied much more heavily on investors and whole- 
sale markets and less on retail deposits for funding in compari- 
son to many of its U.K. peers. 


The bank hoped to mitigate potential weaknesses in this fund- 
ing strategy by diversifying its funding markets geographically. 
For example, it tapped markets in continental Europe and the 


é Federal funds, or "fed funds” are a form of interbank lending. 


7 In the summer of 2008, California's IndyMac also suffered a bank run. 
IndyMac’s problems were more conventional as they largely involved 
weak underwriting and difficulties in finding buyers for the mortgages 
that the bank had originated. 


8 This practice is described in Chapter 4. 


Americas as well as in the United Kingdom.? As it turned out, 
however, the bank had overestimated the benefits of 
geographical diversification. 


After years of a strong economy and rising housing prices, wide- 
spread doubts about mortgage-related assets began to surface 
among investors early in 2007. These doubts were initially trig- 
gered by rising default rates in the U.S. subprime mortgage mar- 
ket but soon spread globally to asset-backed securities (ABS) as an 
investment class, then to institutions that invested in or depended 
on these securities and eventually to the interbank markets. 


When the interbank funding market froze in early August 2007, 
all of Northern Rock's global funding channels seized up 
simultaneously in a scenario that the bank's executives later 
claimed was “unforeseeable.” Ironically, earlier in the summer 
of 2007, the bank had announced increased interim dividends 
after U.K. regulators approved a Basel || waiver that allowed the 
bank to adopt so-called “advanced approaches” for calculating 
credit risk that looked likely to reduce its minimum regulatory 
capital requirements. 10 


When Northern Rock became unable to fund itself through 
interbank loans, U.K, authorities began to discuss various strate- 
gies to relieve the bank's difficulties. News of the Bank of Eng- 
land's planned support operation for Northern Rock leaked, 
setting the scene for a run on deposits in mid-September. The 
panic was exacerbated by the tight rules then in effect for com- 
pensating depositors,'' and calm only (slowly) returned after 
U.K. authorities publicly promised that deposits would be 
repaid. Northern Rock eventually accepted emergency govern- 
ment support and then public ownership. 


Lessons Learned 


As a result of the 2007-2009 crisis, the U.S. Federal Reserve 
began to mandate liquidity stress testing programs for the larg- 
est banks. These programs are aimed at ensuring that banks 
have liquidity and funding strategies that will survive system- 
wide stress scenarios.'* In essence, the challenge of managing 
funding liquidity risk lies partly in optimizing the bank's 


? See comments by Adam Applegarth, ex-CEO of Northern Rock, to 
the House of Commons, Treasury Committee, “The Run on the Rock,” 
January 2008, p. 15. 


10 Though the timing of the waiver later embarrassed the bank and its 
regulators, it was not a significant factor in the loss of confidence in 
the bank. 


11 At the time, private depositors were fully guaranteed only up to 
£2,000, with a further guarantee of 90% of sums up to a ceiling of 
£33,000. 


12 For the so-called "C-Lar” program, see S. Nasiripour, “Fed Begins 
Stress Tests on Bank Liquidity,” Financial Times, December 13, 2012. 
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borrowing sources and their composition. This optimization is 
often accomplished by managing the contractual maturities of 
assets and liabilities, either directly or synthetically, using deriva- 
tives such as interest rate swaps. Like most complicated deci- 
sions, however, asset/liability management (ALM) decisions are 
driven by trade-offs. 


e There is a trade-off between funding liquidity and interest 
rate risk: When funding liabilities have shorter duration than 
loan assets, the bank is exposed to less interest rate risk and 
more funding liquidity risk. The opposite is true when liabili- 
ties have longer duration compared to loan assets. 


e There is also a trade-off between cost and risk mitigation. 
To mitigate funding liquidity risk in a positively sloped yield 
curve environment, institutions can increase the maturity of 
their funding liabilities. However, this will clearly cost more 
than cheaper shorter-duration funding. 


Banks may also mitigate funding liquidity risk by reducing the 
maturity of their assets (e.g., commercial loans), but this is not 
always possible because asset maturity is often driven by bor- 
rower demand, the nature of a bank's business, and its competi- 
tive environment. 


As it is not possible to perfectly coordinate liquidity, firms also 
need emergency liquidity cushions to ensure they can meet their 
commitments. The larger and better quality the cushion, the 
lower the risk. However, this risk reduction comes at a cost, as 
highly liquid and marketable assets yield lower returns than less 
liquid assets. Credit lines also command a cost, even if the funds 
are not drawn. Again, banks must consider the significant tradeoff 
between pursuing a risky funding liquidity strategy and the cost 
of that strategy compared with less risky strategies and liquidity 
reserves. It follows that all the components of an ALM policy are 
linked (i.e., interest rate risk management, funding liquidity risk 
management, profit planning, product pricing, capital manage- 
ment, and fundamental business strategies) and must be part of 

a holistic and integrated approach to balance-sheet management. 


9.3 CONSTRUCTING AND 
IMPLEMENTING A HEDGING 
STRATEGY 


Developing and implementing effective hedging strategies can 
be both beneficial and challenging. This is true not just for banks 
and other financial institutions but for non-financial firms as well. 
The function(s) or individual(s) responsible for developing hedg- 
ing strategies need access to relevant information (e.g., market 
data or corporate information), and oftentimes advanced (or at 
least appropriate) statistical tools. One necessary step in this 


process involves selecting appropriate models to use for both 
pricing and hedging. These are sometimes developed in-house 
but oftentimes are acquired from external vendors, as are the 
data used in the modeling, estimation, and hedging process. 
Regardless of what tools or data are eventually selected, it is 
critical that the risk management function has a deep under- 
standing of their proper uses and limitations. 


The choice of whether to use static or dynamic hedging strategies 
is a key tactical decision. A static hedging strategy involves the 
purchase of a hedging instrument that very closely matches 

the position to be hedged and is typically held for as long as 

the underlying position is kept (or at least for a set period of time). 


A static hedging strategy has the advantage of being relatively 
easy to implement and monitor. A dynamic hedging strategy, on 
the other hand, involves adjusting the hedge through a series 
of ongoing trades to contiuously (or frequently) calibrate the 
hedge position to the (changing) underlying exposure. As such, 
a dynamic hedging strategy typically involves greater manage- 
rial effort to implement and monitor, and may involve higher 
transaction costs as the hedge position is rebalanced. Note that 
a static approach focuses on the result of the strategy at the 
horizon, whereas dynamic hedging tries to rebalance the strat- 
egy over short intervals of time (e.g., on a daily basis). 


Firms that implement dynamic hedging strategies must have 
the appropriate models and expertise to trade in the markets 
and effectively monitor their positions. This, however, will not 
necessarily preclude these firms from making mistakes in the 
implementation and communication of a risk management 
strategy. The following section illustrates this by examining a 
dynamic strategy put in place by Metallgesellschaft Refining & 
Marketing, Inc. (MGRM). 


Metallgesellschaft—How a Dynamic 
Hedging Strategy Can Go Wrong 


MGRM was a U.S. subsidiary of Metallgesellschaft AG, an indus- 
trial conglomerate based in Frankfurt, Germany. In 1993, MGRM 
entered into long-term, fixed-price contracts to deliver oil prod- 
ucts (primarily gasoline and heating oil) to end-user customers. 
Because MGRM could not change its prices after these contracts 
were signed, it was exposed to the risk of rising energy prices. 


Lacking a liquid market for appropriate long-term futures 
contracts would allow it to hedge its price risk, MGRM imple- 
mented a dynamic hedging strategy that used short-dated 
energy futures contracts. This strategy required that the hedg- 
ing instruments (i.e., the futures contracts) be “rolled forward” 
each month as they expired. The derivative position was 
adjusted monthly to reflect the changing amount of oustanding 
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contracts to be hedged in order to preserve a one-to-one 
hedge. “Such a strategy is neither inherently unprofitable nor 
fatally flawed, provided top management understands the pro- 
gram and the long-term funding commitments necessary to 
make it work,” according to Culp and Miller.'? 


The type of dynamic hedging strategy implemented by MGRM 
is known as a rolling hedge, and it can be profitable when assets 
for immediate delivery are priced higher (i.e., the spot price) 
than assets for future delivery (i.e., the futures price). This type 
of pricing curve situation is known as backwardation. When 

the firm rolls the hedge position in a market characterized by 
backwardation, the contract that is about to expire is sold at a 
price that is higher than that of the replacement longer-delivery 
contract and thus there is a resulting rollover profit. However, 
this type of strategy can result in losses when the opposite price 
relationship exists (a situation known as contango). 


MGRM therefore was exposed to curve risk (i.e., the risk of 
shifts in the price curve between backwardation and contango). 
Additionally, the firm was exposed to basis risk resulting from 
deviations between short-term prices and long-term prices. 


Spot oil prices fell significantly in 1993, from nearly USD 20 a 
barrel mid-year to less than USD 15 a barrel by year-end. This 
led to USD 1.3 billion in margin calls on MGRM's long futures 
positions that had to be met in cash. While MGRM had unreal- 
ized economic gains on its original short forward contracts, it 
had a (temporary) substantial negative cash flow. The problem 
was exacerbated when the oil price curve changed shape, 
moving from backwardation to contango. MGRM's parent 
company, which had been told the position was hedged and 
therefore did not expect a negative cashflow, ordered the 
hedges liquidated in December 1993. This resulted in large 


paper losses being turned into large realized losses.'4 


Hedging Considerations 


Another important aspect of a hedging strategy is the time 
horizon over which it is implemented. As described in the dis- 
cussion of static and dynamic hedging strategies, horizons can 
be fixed (e.g., quarter-end or year-end) or rolling. Regardless of 
the choice of horizon, performance evaluations and investment 
horizons should be aligned. 


BE, Culp and M. Miller, “Blame Mismanagement, Not Speculation, for 
Metall’s Woes,” European Wall Street Journal, 1995, April 25. 


14 The decision by management to liquidiate the hedges, while under- 
standable, might not have been the best course of action. According 
to Culp and Miller, at least three other possible actions should have 
been considered: obtaining additional financing to keep the program 
intact, finding another firm willing to buy the program from MGRM, or 
unwinding the contracts with the original customers. 


Accounting issues and potential tax implications need to be 
considered when devising a hedging strategy. Accounting rules 
related to derivatives and hedging can be quite complex and are 
subject to change. A derivative and the underlying position it is 
intended to hedge must be perfectly matched (e.g., regarding 
dates and quantities) in order for them to be reported together 
in operational profit without the need to report an accounting 
profit or loss. Without such a matching, the International Finan- 
cial Reporting Standards (IFRS) require that the hedge’s mark-to- 
market profit (or loss) be recorded. If the hedge is at least 80% 
effective, the resulting profit or loss can be recorded in the firm's 
operational or gross profit. Otherwise, the financial position will 
be recorded as a financial expense, while the underlying position 
will be recorded as an operational expense. 


How derivatives are accounted for will directly impact not only 
how they are reported in a firm's quaterly and annual financial 
reports but on a firm's profit and loss (P&L) statement as well. 
The MGRM case highlights the discrepancy between eco- 
nomic and accounting hedging, and between hedging the P&L 
or hedging the cash flows. Although MGRM was nearly fully 
hedged in economic terms, it was fully exposed in accounting 
terms and was therefore not prepared to absorb liquidity risk. 


The choice of the derivatives used in a hedging strategy may have 
very different tax implications and this can have a big impact on 
the cash flows of a firm. Tax treatment may also vary from country 
to country and can sometimes result in a multinational corporation 
finding it advantageous to hedge positions related to business in 
one country by using derivatives in another country. Getting com- 
petent professional guidance on tax matters is therefore critical 
when developing and implementing a hedging strategy. 


For any strategy to be successful, it must be effectively imple- 
mented. This is especially important because markets can move 
and prices can change, making what had initially appeared 

to be an attractive hedging opportunity unattractive. During 
implementation, firms must be ready to adapt to changing 
conditions with the same care and thoroughness that went into 
the original strategy design. Once implemented, however, the 
firm must take special care to monitor the positions with respect 
to their fit with the overall strategy and their ongoing effective- 
ness as hedges. 


9.4 MODEL RISK 


Sophisticated financial products often rely on valuation models to 
determine their prices. Models can be theoretical (e.g., CAPM) 
or they can be statistically based (e.g., the term structure of 
interest rates). Institutions are exposed to risks arising from the 
use of models when pricing these financial products. Model risk 
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can stem from using an incorrect model, incorrectly specifying a 
model, and/or using insufficient data and incorrect estimators. 


One way a model can be problematic is if its underlying assump- 
tions are flawed (e.g., assumptions about the underlying asset 
price or interest rate process). For example, a bond pricing 
model might incorporate an assumption of a flat yield curve, 
when in fact the curve is upward-sloping and unstable. This type 
of risk is both common and dangerous and can be among the 
most difficult risks to detect. Unfortunately, the annals of finance 
history are filled with examples of strategies based on faulty 
assumptions, as well as other types of flawed models, processes, 
and controls. What follows are a few relatively well-known exam- 
ples to illustrate this point. 


Wrong Assumptions—The Niederhoffer 
Put Options 


Victor Niederhoffer was a star trader who ran a very success- 

ful and well-established hedge fund. One strategy of the fund 
involved writing large quantities of uncovered (i.e., “naked”) 
deep out-of-the-money put options on the S&P 500 Index and 
collecting the option premiums. Of course, because these were 
deep out-of-the-money, the premiums collected from these 
options were quite small. An assumption underlying this strat- 
egy was that a one-day market decline of more than 5% would 
be rare. In fact, if market returns were normally distributed, a fall 
of this magnitude would be virtually impossible. 


The strategy was undone, however, when the stock market fell 
by over 7% in one day in October 1997. The sharp drop in U.S. 
equity prices followed a large overnight decline in the Hang Seng 
Index, which in turn was the result of a crisis developing in Asian 
markets. On the back of this shock, liquidity in the markets dried 
up. As a result, the fund was unable to meet over USD 50 million 
in margin calls and its brokers liquidated Neiderhoffer's positions 
for pennies on the dollar, effectively wiping out the fund’s equity. 


The lesson from this case is that one can construct a strategy with 
options that will produce a small profit over an extended period. 
Nevertheless, in such strategies there can be a small probability 
for a major loss. In other words, competitive financial markets 
rarely offer a “free lunch.” 


Long Term Capital Management 
and Model Risk: When “Normal” 
Relationships Breakdown 


The demise of Long Term Capital Management (LTCM) in 
August and September of 1998 was notable due to the size 
of the fund's exposures and the pedigree of the individu- 
als involved. Founded in 1994 by John Meriwether, LTCM’s 


principals included former Federal Reserve Board Vice-Chairman 
David Mullins, Nobel laureates Robert Merton and Myron 
Scholes, several world-renowned academics, and experienced 
traders from the famous Salomon Brothers’ bond arbitrage 
desk. Before its failure, LTCM had USD 4.8 billion in equity and 
USD 125 billion in assets, making for a 25-to-1 leverage ratio. 


LTCM’s downfall was triggered in August of 1998, when the gov- 
ernment of Russia declared a moratorium on its debt and deval- 
ued its currency (i.e., the ruble). These actions caused the value 
of LTCM's holdings to fall over 40%, a loss of nearly USD 2 billion. 
Concerned about a potential systemic crisis, the Federal Reserve 
Bank of New York brokered the rescue of LTCM by a group 

of banks that agreed to inject USD 3.5 billion into the fund in 
exchange for a 90% equity stake and control of its management. 


How could LTCM have been so adversely affected by a single 
market event? The reason lay in an arbitrage strategy the fund 
employed that was based on market-neutral trading (also known 
as relative-value trading). These strategies typically involve the 
purchase of one asset and the simultaneous sale of another and 
are designed to exploit relative mispricings between the two 
assets. As a result, these strategies generate profits when the 
price spread between assets moves in the anticipated direction, 
regardless of directional movements in the overall market. 


Many of LTCM's strategies, based on extensive and intensive 
empirical research by top-level academics and practitioners at 
the firm, appeared safe at first glance. The firm made its trades 
based on the assumption that the spreads between sovereign 
and corporate bonds in various countries were too wide and 
would eventually revert to their “normal” levels. For instance, 
LTCM would purchase UK corporate bonds and sell (or “short”) 
appropriate UK government bonds to capture a perceived 
relative-value opportunity. Other trades were motivated by the 
fact that several European countries were scheduled to join the 
European Economic and Monetary Union (EMU) and conver- 
gence of sovereign bond yields was anticipated. Trades of this 
type might involve, for instance, buying Spanish or Italian gov- 
ernment debt and selling German bunds. As long as the yield 
spread narrowed, these positions would make money regardless 
of movements in absolute prices.'° 


The limited returns from these low-risk strategies came under 
increasing pressure as more traders entered the market to take 
advantage of the same perceived opportunities. To boost per- 
formance (measured by return on equity), LTCM used leverage. 
With a 25-to-1 leverage ratio, for example, LTCM could turn a 
1% return on assets into a 25% return. This was aided by LTCM’s 


15 In some cases, such as when the prevailing spread is negative, the 
speed of narrowing is also a key factor. 
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ability to obtain large amounts of financing, collateralized by the 
bonds it invested in. Part of the fund's ability to access such large 
loans was due to its strategies being widely perceived as low-risk 
in nature. 


LTCM's failure reflected its inability to anticipate the dramatic 
increase in correlations and volatilities and the sharp drop in 
liquidity that can occur during an extreme crisis. LTCM also 
succumbed to an internal liquidity crunch brought on by large 
margin calls on its futures holdings. Ironically, LTCM's strate- 
gies were valid in the medium term, and as the crisis ended, 
the banks that took over LTCM realized substantial profits. 


Trading Models 


Basing models, or strategies, on relationships that exist dur- 
ing benign market conditions makes them vulnerable to failure 
during extreme, or crisis, situations. The events of August 1998 
in Russia made many market participants fearful of the pos- 
sibility of other sovereign defaults. These fears triggered an 
investor exodus from emerging markets and other risky assets 
into liquid and less-risky assets like US and German govern- 
ment debt. This flight to quality caused the spreads between 
“safe haven” assets, like US treasuries, and riskier assets, like 
emerging market bonds and corporate high-yield bonds, to 
diverge sharply. These same fears caused the relative yields 
between German and Italian debt to widen (because German 
bunds were thought to be safer than Italian bonds) along with 
credit spreads across a range of asset classes. 


As spreads widened, many relative-value trades began to lose 
money and lenders began to demand the posting of additional 
collateral. This forced many hedge funds to either sell assets 
at fire-sale prices to raise funds to meet the margin calls or to 
abandon their arbitrage plays. Liquidity evaporated from many 
markets, especially emerging markets, and volatility increased. 


The breakdown in the historic correlation and volatility patterns 
assumed in LTCM's models led to most of its losses. The factors 
that were most relevant during the market turmoil included the 
following. 


e U.S. Treasury interest rates and stock prices fell in tandem 
because investors had deserted the stock market and 
started purchasing U.S. government bonds in a flight to 
quality. In normal markets, stock returns and interest rates 
are negatively correlated (i.e., when interest rates fall, stock 
prices rise). 

e Liquidity vanished in many markets simultaneously and made 
the unwinding of positions exceedingly difficult. Portfolios 
that seemed to be well-diversified across markets began to 


behave as if they were highly concentrated in a single market, 
and market-neutral positions became directionally exposed 
(usually to the wrong side of the market). 


Risk Measurement Models and Stress 
Testing 


LTCM made heavy use of a Value-at-Risk (VaR) model as part of its 
risk control. VaR is a measure of the worst-case loss for an invest- 
ment (or set of investments) given normal market conditions over 
a specific time horizon and at a given confidence level. 


LTCM felt that it had structured its portfolio so that the fund’s 
risk should not have exceeded that of the S&P 500. The prob- 
lems encountered at LTCM shed light on how assumptions made 
when calculating regulatory VaR calculations do not necessarily 
apply to hedge funds. 


e The time horizon for economic capital should be the time it 
takes to raise new capital, liquidate positions in an orderly 
manner, or the period over which a crisis scenario will unfold. 
Based on the experience of LTCM, ten days is clearly far too 
short a time horizon to determine a hedge fund's VaR. 


e Liquidity risk is not factored into traditional static VaR mod- 
els. Such models assume that normal market conditions pre- 
vail and that markets exhibit perfect liquidity. 


e Correlation and volatility risks (i.e., the risk that the realized 
correlations and volatilities significantly deviate from expecta- 
tions) can be captured only through stress testing. This was 
probably the weakest point of LTCM’s VaR system. 


In describing the role of the Federal Reserve Bank of New York 
leading up to the private-sector recapitalization of LTCM, the bank's 
president, William McDonough, testified before Congress that:"¢ 


We recognize that stress testing is a developing disci- 
pline, but it is clear that adequate testing was not done 
with respect to the financial conditions that precipitated 
Long-Term Capital's problems. Effective risk manage- 
ment in a financial institution requires not only modeling, 
but models that can test the full range of financial trans- 
actions across all kinds of adverse market developments. 


During the run-up to its collapse, LTCM experienced daily vola- 
tility of more than USD 100 million, more than twice the level it 
envisioned. Furthermore, despite estimating its ten-day VaR to 


16 McDonough, W. J. (1998, October 1). Statement by William J. 
McDonough Before the United States House Committee on Bank- 
ing and Financial Services. Lecture, Washington, D.C. Retrieved from 
https://www.newyorkfed.org/newsevents/speeches/1998/mcd981001 
html 
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be USD 320 million, LTCM suffered losses of over USD 1 billion. 
Simply put, LTCM’s risk model had fatal flaws that ultimately 
contributed to the firm's demise. 


Model Risk and Governance— 
The London Whale 


During the first half of 2012, J.P. Morgan Chase lost billions of 
dollars from an exposure to a massive credit derivatives portfo- 
lio in its London office. The following case study of the event 
was compiled using word-for-word extracts from the 300-page 
report produced by a subsequent investigation by the U.S. 
Senate.'” 


Setting the Scene 


"JP Morgan Chase & Company is the largest financial holding 
company in the United States, with USD 2.4 trillion in assets. It 
is also the largest derivatives dealer in the world and the largest 
single participant in world credit derivatives markets. Its princi- 
pal bank subsidiary, JP Morgan Chase Bank, is the largest U.S. 
bank. JP Morgan Chase has consistently portrayed itself as an 
expert in risk management with a “fortress balance sheet” that 
ensures taxpayers have nothing to fear from its banking activi- 
ties, including its extensive dealing in derivatives. But in early 
2012, the bank's Chief Investment Office (CIO), which is charged 
with managing USD 350 billion in excess deposits, placed a 
massive bet on a complex set of synthetic credit derivatives that, 
in 2012, lost at least USD 6.2 billion. 


The CIO's losses were the result of the so-called “London 
Whale” trades executed by traders in its London office—trades 
so large in size that they roiled world credit markets. Initially 
dismissed by the bank's Chief Executive Officer as a “tempest in 
a teapot”, the trading losses quickly doubled and then tripled 
despite a relatively benign credit environment. . .”18 


The Risk Exposure Grows 


”. . . In 2006, the CIO approved a proposal to trade in syn- 
thetic derivatives, a new trading activity. In 2008, the ClO 


17 “JP Morgan Chase Whale Trades: A Case History of Derivatives 
Risks and Abuses,” United States Senate Permanent Subcommittee 

on Investigations, Carl Levin, Chairman and John McCain, Ranking 
Minority Member, March 15, 2013 Hearing. For the company’s own 
account of the debacle, see Report of JPMorgan Chase & Co Manage- 
ment Task Force Regarding 2012 CIO Losses, January 16, 2013. 


18 Senate report, p. 1. 


began calling its credit trading activity the Synthetic Credit 
Portfolio (SCP). 


Three years later, in 2011, the SCP’s net notional size jumped 
from USD 4 billion to USD 51 billion, a more than tenfold 
increase. In late 2011, the SCP bankrolled a USD 1 billion credit 
derivatives trading bet that produced a gain of approximately 
USD 400 million. In December 2011, JPMorgan Chase instructed 
the CIO to reduce its Risk Weighted Assets (RWA) to enable the 
bank, as a whole, to reduce its regulatory capital requirements. 
In response, in January 2012, rather than dispose of the high risk 
assets in the SCP—the most typical way to reduce RWA—the 
CIO launched a trading strategy that called for purchasing addi- 
tional long credit derivatives to offset its short derivatives posi- 
tions and lower the ClO's RWA in that manner. That trading 
strategy not only ended up increasing the portfolio’s size, risk, 
and RWA, but also, by taking the portfolio into a net long posi- 
tion, eliminated the hedging protections the SCP was originally 
supposed to provide.”'? 


Operational Risk 


“In its first four years of operation, the SCP produced positive 
revenues, but in 2012, it opened the year with losses. In January, 
February, and March, the number of days reporting losses far 
exceeded the number of days reporting profits, and there was 
not a single day when the SCP was in the black. To minimize its 
reported losses, the CIO began to deviate from the valuation 
practices it had used in the past to price credit derivatives. In 
early January, the CIO had typically established the daily value 
of a credit derivative by marking it at or near the midpoint price 
in the daily range of prices (bid-ask spread) offered in the mar- 
ketplace. Using midpoint prices had enabled the CIO to comply 
with the requirement that it value its derivatives using prices 
that were the “most representative of fair value”. But later in the 
first quarter of 2012, instead of marking near the midpoint, the 
CIO began to assign more favorable prices within the daily price 
range to its credit derivatives. The more favorable prices 
enabled the CIO to report smaller losses in the daily profit/loss 
(P&L) reports that the SCP filed internally within the bank.”2° 


”. . . by March 16, 2012, the SCP had reported year-to-date 
losses of USD 161 million, but if midpoint prices had been used, 
those losses would have swelled by at least another 

USD 432 million to a total of USD 593 million.””! 


19 Senate report, p. 3 and 4. 
20 Senate report, p. 96. 


21 Senate report, p. 96. 
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", .. One result of the CIO's using more favorable valuations was 
that two different business lines within JPMorgan Chase, the 
CIO and the Investment Bank, assigned different values to iden- 
tical credit derivatives holdings. Beginning in March 2012, as 
CIO counterparties learned of the price differences, several 
objected to the CIO's values, resulting in collateral disputes 
peaking at USD 690 million. In May, the bank's Deputy Chief 
Risk Officer . . . directed the CIO to mark its books in the same 
manner as the Investment Bank, which used an independent 
pricing service to identify the midpoints in the relevant price 
ranges. That change in valuation methodology resolved the col- 
lateral valuation disputes in favor of the ClO's counterparties 
and, at the same time, put an end to the mismarking.”22 


Corporate Governance: Poor Risk Culture 


“In contrast to JPMorgan Chase's reputation for best-in-class 
risk management, the whale trades exposed a bank culture in 
which risk limit breaches were routinely disregarded, risk metrics 
were frequently criticized or downplayed, and risk evaluation 
models were targeted by bank personnel seeking to produce 
artificially lower capital requirements. 


The CIO used five key metrics and limits to gauge and control 
the risks associated with its trading activities, including Value-at- 
Risk (VaR). During the first three months of 2012, as the ClO 
traders added billions of dollars in complex credit derivatives to 
the SCP, the SCP trades breached the limits on all five risk met- 
rics. In fact, from January 1 through April 30, 2012, CIO risk lim- 


its and advisories were breached more than 330 times.”?3 


“... The SCP’s many breaches were routinely reported to JPM- 
organ Chase and CIO management, risk personnel, and traders. 
The breaches did not, however, spark an in-depth review of the 
SCP or require immediate remedial actions to lower risk. 
Instead, the breaches were largely ignored or ended by raising 
the relevant risk limit.”24 


Model Risk: Fudging VaR Models 


“. . . CIO traders, risk personnel, and quantitative analysts fre- 
quently attacked the accuracy of the risk metrics, downplaying 
the riskiness of credit derivatives and proposing risk measurement 
and model changes to lower risk results for the SCP. In the case of 
the CIO VaR, after analysts concluded the existing model was too 
conservative and overstated risk, an alternative CIO model was 


22 Senate report, p. 6. 
23 Senate report, p. 7. 
24 Senate report, p. 7. 


hurriedly adopted in late January 2012, while the CIO was in 
breach of its own and the bankwide VaR limit. The bank did not 
obtain OCC approval as it should have to use the model for the 
SCP. The CIO's new model immediately lowered the SCP’s VaR by 
50%, enabling the CIO not only to end its breach, but to engage 
in substantially more risky derivatives trading. Months later, the 
bank determined that the model was improperly implemented, 
requiring error-prone manual data entry and incorporating for- 
mula and calculation errors. On May 10, the bank backtracked, 
revoking the new VaR model due to its inaccuracy in portraying 
risk, and reinstating the prior model.””5 (See Figure 9.1) 


9.5 ROGUE TRADING AND 
MISLEADING REPORTING 


Barings, 1995 


Profits are typically seen as a good thing, particularly at finan- 
cial firms. The collapse of Barings Bank, caused by the actions 
of Nick Leeson, should serve as a warning that outsized profits 
can also be an indicator of unrecognized risk and should be met 
with as much inquisitiveness as happiness. 


In 1992, Nick Leeson moved to Singapore and became the local 
head of operations for Barings Bank, a centuries-old British 
financial institution founded in 1762. As part of his role, Leeson 
executed client trades on the Singapore International Monetary 
Exchange (SIMEX). Expanding his responsibilities, he received 
authorization to execute an arbitrage trading strategy designed 
to exploit price disparities between Nikkei futures contracts 
listed on the SIMEX and those listed on the Osaka Securities 
Exchange (OSE). Rather than follow this arbitrage strategy, which 
involved offsetting trades in the two markets, Leeson instead 
built speculative positions by buying in one market and holding 
onto the contracts. His approach quickly generated huge losses. 


In addition to his trading authorization, Leeson also controlled 
the Singapore back office and he used this dual-role to hide 

his losses. Using a reconciliation account, Leeson converted an 
actual 1994 loss of GBP 200 million into a reported sizable profit 
of GBP 102 million. Deepening his subterfuge, Leeson managed 
to have the reconciliation account excluded from the reports 
sent to the main office in London. 


By late 1994, the outsized amount of Leeson’s profits began to 
attract the attention of Barings’ risk controllers. Their inquiries to 
Leeson’s superiors were rebuffed, however, who cited Barings’ 
“unique ability to exploit this arbitrage.” (It's possible that the 
extra bonuses his superiors received on the back of Leeson’s 


25 Senate report, pp. 7 and 8. 
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por reported a one-week profit of GBP 10 million in 
a k H May-3 January 1995, and once more their concerns 
C | ag were dismissed. Had his superiors investigated 
Pi ABIR the source and plausibility of the profits, simple 
\ - Apr-19 calculations would have shown that it would 
\ have been impossible for Leeson to have made 
A Old VaR Model [Apra these profits in the manner he claimed, as that 
\ L Apr-5 would have required trading four times that 
3 week's total volume for the Nikkei futures con- 
4, f Mar-29 tracts on both the SIMEX and the OSE. 
t=- 2 parag By the time Barings discovered Leeson’s 
\ L Mar-15 rogue trading, the losses he had accumulated 
l had grown too large and the bank was forced 
& f Mar-8 to liquidate. Eventually, ING, a Dutch bank, 
% lari acquired Barings Bank for the ignominious 
’ sum of GBP 1. 
t | Feb-23 : 
A main lesson from the Barings collapse is 
- Feb-16 that reporting and monitoring of positions 
L Feb-9 and risks (i.e., back-office operations) must be 
separated from trading (i.e., front-office opera- 
H Feb-2 tions). Another basic lesson is that outsized 
aes or strangely consistent profits (think Bernie 
Madoff as well) should be independently 
+ Jan-19 investigated and rigorously monitored in 
New VaR Model order E verify ae te real, generated 
Implemented pane in accordance with the firm's policies and 
C Jan-5 procedures, and not the result of nefarious or 
unacceptably risky activities. More broadly, it is 
[ D66723 incumbent upon risk managers to determine if 
L Dec-22 the reported business profits seem logical with 
respect to the positions held. 
Reported Sie Note that Barings’ downfall could have been 
VaR f Dec-8 avoided under regulations implemented just 
i : ; : : ; : : ' ; | Dec-1 a few years later. In addition to setting capital 
g 8 g 8 8 8 8 8 g 8 o adequacy requirements for market risk, the Basel 
Ss S S s S s Ss s s Ss Committee set limits on concentration risks. 
a = = = = S = = = = Under the 1996 amendment, banks are required 
S = = = = = 2 oe i * to report risks that exceed 10% of their capital 
and cannot take positions that exceed 25% of 
= Reported VaR Model = = Old VaR Model VaR Limit their capital. Had these rules been in effect in 
| Figure 9.1 VaR for the CIO: “old” versus “new” VaR model.2¢ 1994, or had the bank developed and enforced 


Source: The United States Senate. 


reported profits may have clouded their judgment.) The risk con- 
troller’s suspicions were raised again in January 1995 after Leeson 


26 United States Senate, Permanent Subcommittee on Investigations, 


“Exhibits, Hearing on JP Morgan Chase Whale Trades: 


Derivatives Risks and Abuses,” March 15, 2013, p. 18. 


A Case History of 


prudent guidelines similar to these rules, Barings 

would have been prohibited from amassing such 
large positions and one of the world’s most infamous rogue trading 
scandals might have been avoided.?” 


Large trading volumes and revenues typically result in large 
bonuses for senior managers. In turn, this compensation frame- 
work encourages managers to trust the traders that report to 
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them. Their reports may not be given proper scrutiny by risk 
managers or other key individuals who might be able to prop- 
erly question the veracity of the purported profits. One diffi- 
culty is that traders can use their superior knowledge of pricing 
models, or claims of profound market insights, to confound their 
internal critics. 


The antidote to this problem is for senior managers to engage 
with a healthy skepticism models and strategies that claim to 
deliver above-market returns and to insist that all models be 
transparent and independently vetted. It should be remembered 
that immediate revenues from a transaction (e.g., ten-year credit 
default swap) cannot be recognized as economic profit. Rather, 
a transaction’s profitability depends on its performance over its 
life. Unfortunately, accounting procedures can be used to misre- 
port profits for risky derivative instruments. 


9.6 FINANCIAL ENGINEERING 


Forwards, swaps, and options are the main building blocks of 
financial engineering. They can be used separately to hedge 
specific risks or be combined to form complex structures that 
meet client needs. 


Derivatives allow investors and institutions to break apart (i.e., 
segment) risks. Conversely, derivatives can be used to manage 
risks on a joint basis. For example, consider a U.S. fund manager 
holding a bond denominated in euros. The fund manager is 
exposed to interest rate risk in the euro fixed-income market and 
to currency risk from changes in the dollar/euro exchange rate. 
The fund manager can hedge both risks with a currency swap. 
Alternatively, the fund manager can hedge the foreign exchange 
exposure separately through a currency forward or option. The 
fund manager could also avoid the trouble of hedging only the 
currency exposure by entering into a so-called quanto swap. 
Under this structure, the fund would receive the coupon of the 
bond in dollars at a prearranged exchange rate and pay to the 
counterparty the U.S. Libor floating rate. 


The financial engineers responsible for devising complex instru- 
ments do so to satisfy the risk-return appetites of their clients. 
But financial engineering is not by itself risk management, 

and in the world of derivatives the line between hedging and 
speculation can be blurry. Firms may be tempted to enter into 
complex transactions that enhance immediate portfolio returns. 
However, enhancing returns almost always means taking on 
more risk in some form or other. This risk may come in the form 
of an unlikely but potentially very severe future loss. Too often, 
the embedded risk is not fully understood by firms entering 
into complex derivative transactions. Or it may be the case that 
these risks are not fully communicated to senior managers and 
other stakeholders. 


The Risks of Complex Derivatives 


Back in the early 1990s, Bankers Trust (BT) proposed that clients 
Procter & Gamble (P&G) and Gibson Greetings enter complex 
leveraged swaps to achieve lower funding costs. In the swap 
with P&G, for example, BT would pay a fixed rate to P&G for 
five years, while P&G would pay a floating rate, which was the 
commercial paper rate minus 75-basis points if rates remained 
stable. But, through a complex formula, the floating rate 

would increase considerably if rates rose during the period; for 
example, an increase of 100-basis points in rates produced a 
1,035-basis point spread over the commercial paper! 


In 1994, the Fed increased the federal funds rate by 250-basis 
points, causing colossal losses for both P&G and Gibson Greet- 
ings. Both companies sued BT for misrepresenting the risk 
embedded in these complex swap transactions. BT never quite 
recovered from the ensuing reputational damage and was 
eventually acquired by Deutsche Bank.”® 


The Case of Excess Leverage and 
Complex Financial Instruments: 
Orange County 


Repos”? allow investors to finance a significant portion of their 
investments with borrowed money (i.e., leverage). But using 
leverage means that the profit or loss on any position is 
multiplied; even a small change in market prices can have a 
significant impact on the investor. 


Leverage, through the use of repos, was part of the undo- 

ing of California’s Orange County. In the early 1990s, Orange 
County treasurer Robert Citron had managed to borrow USD 
12.9 billion through the repo market. This enabled him to accu- 
mulate around USD 20 billion of securities even though the fund 
he managed had only USD 7.7 billion in invested assets. 


Citron used the borrowed funds to purchase complex inverse 
floating-rate notes whose coupon payments decline when 
interest rates rise (as opposed to conventional floaters, whose 
payments increase in such a circumstance). In the favorable 
upward-sloping curve environment in the years before 1994, 
Citron was able to increase the return of the fund by 2% com- 
pared to similar pools of assets. However, over the course of 
1994, the Federal Reserve raised interest rates by 250-basis 
points. As interest rates rose, the market value of his positions 


28 There were also a series of actions filed by local authorities in the U.S. 
and U.K. on the misrepresentation of the risks associated with swaps. In 
the U.K. these are referred to as “local authorities swaps litigation.” 


2? Repos (also called repurchase agreements) are a way to borrow cash 
by agreeing to sell securities to a counterparty and then repurchase 
them at (slightly) higher price shortly thereafter. 
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dropped substantially, generating a loss of USD 1.5 billion by 
December 1994. At the same time, some of the fund's lenders 
stopped rolling over their repo agreements. Ultimately, Orange 
County was forced to file for bankruptcy. 


This debacle was caused by a combination of excessive leverage 
and a risky (and eventually wrong) interest-rate bet embedded 
in the securities bought by the fund.°° Citron later admitted he 
did not understand either the position he took nor the risk 
exposure of the fund. 


Firms need to understand the risks that are inherent in their 
business models. Senior management then needs to deploy 
robust policies and risk measures tying risk management, and 
particularly the use of derivatives, to risk appetite and overall 
business strategy as it has been communicated to stakeholders. 
Management and boards should always ask where the risks are 
hiding and under what circumstances could they produce a loss. 


The Case of Investing in AAA Tranches 
of Subprime CDOs: Sachsen 


Prior to the 2007-2009 financial crisis, some of the biggest buyers 
of U.S. subprime securities were European banks. Among these 
institutions were publicly owned banks in Germany called the 
Landesbanken. While these instruments offered an attractive risk 
premium, they also required understanding and pricing expertise. 


Landesbanks traditionally specialized in lending to regional 
small- and medium-sized companies. However, during the boom 
years some began to open overseas branches and develop 
investment banking businesses. One of the most notorious 
examples was the Leipzig-based Sachsen Landesbank. 


Sachsen opened a unit in Dublin tasked with setting up vehicles to 
hold large volumes of highly rated U.S. mortgage-backed securi- 
ties. While these vehicles were technically off the parent bank’s bal- 
ance sheet, they benefited from the guarantee of Sachsen itself. 


While this operation was highly profitable,*" it was simply too large 
when compared to the size of Sachsen’s balance sheet. When the 
subprime crisis struck in 2007, the rescue operation wiped out 


30 The common mistake made by other asset managers who purchased 
inverse floaters was that there was no understanding of the embedded 
leverage. For example, an inverse floater could have a duration of 15 to 25. 
In several SEC administrative hearings, however, the portfolio managers of 
limited duration funds whose portfolios blew up as a result of their inverse 
floater holdings testified that their durations were between 1 and 3. 


31 See P. Honohan, “Bank Failures: The Limitations of Risk Modelling,” 
Working paper, 2008, for a discussion of this and other bank failures. 
Honohan says that reading Sachsen’s 2007 Annual Report suggests 

that, “The risk management systems of the bank did not consider this 
[funding liquidity commitment] as a credit or liquidity risk, but merely 

as an operational risk, on the argument that only some operational 
failure could lead to the loan facility being drawn down. As such it 

was assigned a very low risk weight attracting little or no capital.” (p. 24) 


Sachsen’s capital and the bank had to be sold to Landesbank 
Baden-Wiirttemberg (i.e., another German state bank). 


9.7 REPUTATION RISK 


A firm's reputation is based on the belief that it can and will 
fulfil its promises to counterparties and creditors, and that the 
enterprise is a fair dealer and follows ethical practices. In recent 
years, however, concern about reputation risk has become more 
prominent with the rapid growth of social networks. Rumors 
can spread quickly on the internet and destroy reputations in 

a matter of hours. Companies are also under growing pressure 
to demonstrate their commitment to environmental, social, and 
governance-related best practices. As a result, the reputational 
damage for unethical conduct can be very severe. 


Volkswagen Emission Cheating Scandal 


A major scandal to hit the German automaker Volkswagen 
involved regulatory testing. In September 2015, the United 
States Environmental Protection Agency (EPA) announced that 
Volkswagen had programmed certain emissions controls on its 
diesel engines to be activated only during regulatory testing 
but not during real-world driving. Thus, while nitrogen oxide 
levels would meet U.S. standards during regulatory testing, 
they greatly exceeded these standards when the cars were 
actually on the road. From 2009 through 2015, Volkswagen put 
this programming in place in over ten million cars worldwide 
(500,000 in the United States alone). Volkswagen executives 

in Germany and the United States formally acknowledged the 
deception on a September conference call with the EPA and 
California officials. 


The damage to Volkswagen, the world’s biggest carmaker, was 
significant. The share price of the company fell by over a third 
as the scandal unfolded and the firm faced billions of dollars 

in potential fines and penalties. Numerous lawsuits were filed. 
Its reputation, particularly in the important US market, took a 
severe hit. The reputational effect extended beyond the com- 
pany itself as German government officials expressed concerns 
that the value of the imprimatur “Made in Germany” would be 
diminished because of Volkswagen’s actions. 


9.8 CORPORATE GOVERNANCE 


Corporate governance was the topic of Chapter 3. This chapter 
has already illustrated some corporate governance failures with 
J.P. Morgan Chase and "The London Whale” in Section 9.4 and 
the Volkswagen emission cheating scandal in Section 9.7. This sec- 
tion examines the bankruptcy of the energy giant Enron in 2001. 
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Enron 


Enron was formed in 1985 following the heavily leveraged 
merger of InterNorth and Houston Natural Gas. As the result 
of deregulation, however, the firm lost the exclusive rights 

to its pipelines. In order to survive, Enron devised a new and 
innovative business strategy to become a so-called “gas bank.” 
This strategy involved buying gas from various suppliers and 
selling it to a network of consumers at guaranteed amounts 
and prices. In return for assuming the associated risks, Enron 
charged fees for these transactions. As part of this process, 
Enron created a market for energy derivatives where one had 
not previously existed. 


Enron was named “America’s Most Innovative Company” in 
1995 by Fortune and won this prestigious award for six consecu- 
tive years. The firm's shares were worth almost USD 90.56 at its 
peak in August 2000. That year Enron had 20,000 employees 
and revenues of nearly USD 101 billion. 


Enron constantly pushed for deregulation of the energy 
market, which would give the firm greater flexibility to pur- 

sue its business model. The energy market in California was 

a prominent example of this push that ultimately led to much 
criticism as Enron played a key role in the 2000-2001 California 
electricity crisis. 


California had previously capped its retail electricity prices after 
experiencing a shortage of electricity, which it attributed to mar- 
ket manipulations. By taking power plants offline during times of 
peak demand, Enron could raise power prices by up to 2,000%. 
Because the California government had capped retail electric- 
ity prices, Enron's actions squeezed revenue margins across the 
industry and eventually led to the bankruptcy of Pacific Gas and 
Electric Company (i.e., one of the largest power companies in 
the United States) in 2001. 


Enron itself declared bankruptcy in December 2001. The larg- 
est corporate bankruptcy in U.S. history when it occurred, the 
firm's collapse has been widely discussed in academic, practitio- 
ner, and popular press forums. It is now clear what went wrong 
Enron was a poster child of corporate governance failure and 
poor risk management. 


Many in Enron's senior management acted in their own self- 
interest and against the interests of shareholders (i.e., this is 
known as agency risk). For example, Enron chairman and CEO 
Ken Lay was charged with “falsifying Enron's publicly reported 
financial results and making false and misleading public 


representations about Enron's business performance and finan- 


cial condition.”32 


However, Enron's board also failed to fulfill its fiduciary duties to 
the shareholders. For example, the board was aware of and 
allowed the CFO to become the sole manager of a private 
equity fund that did business with Enron. As it turned out, how- 
ever, the private equity fund lacked economic substance.°% 


Most damning, Enron also used “creative” (i.e., fraudulent) 
accounting practices to hide flaws in its actual financial perfor- 
mance. As one example, note that Enron transferred its stock to 
a special purpose vehicle (SPV) in exchange for either cash or 
notes.°4 The SPV classified the Enron stock as an asset on its 
balance sheet. In turn, Enron guaranteed the SPV's value to 
reduce its credit risk.?> Importantly, Enron failed to adequately 
disclose the lack of an arm's length relationship between the 
company and the SPV. 


Another example of Enron’s duplicity is a scheme by which the 
firm would build a physical asset and then immediately declare a 
projected mark-to-market profit on its books. It would do this 
even though it had not yet made any money from the physical 
asset. If the revenue from the asset was less than the projected 
amount, then Enron would simply transfer the asset to an SPV. 
The financial loss would therefore go unreported and Enron 
could write off unprofitable activities without impacting the bot- 
tom line. In short, Enron became adept at hiding the financial 
losses of its operations using a variety of deceptive 
techniques.*° 


Enron outsourced its audit function to Arthur Andersen, formerly 
one of the Big Five accounting firms. Andersen either failed 

to catch or explicitly approved many of fraudulent accounting 
practices that led to Enron's collapse. Once the scandal came to 


32 SEC, (2004, July 8), Retrieved from https://www.sec.gov/news/ 
press/2004-94.htm 


33 See https://scholarship.law.upenn.edu/cgi/viewcontent.cgi7article= 
1009&context=fisch_2016 


34 See Segal, T. (2019, June 28). Enron Scandal: The Fall of a Wall 
Street Darling. Retrieved from https://www.investopedia.com/updates/ 
enron-scandal-summary/ 


35 The SPV was capitalized entirely with Enron stock. The danger is that 
if the value of Enron’s stock declines, the credit risk of the SPV increases. 


36 Primbs, Michael and Wang, Clara, "Notable Governance Failures: 
Enron, Siemens and Beyond" (2016). Comparative Corporate Gover- 
nance and Financial Regulation. Paper 3 https://scholarship.law.upenn. 
edu/cgi/viewcontent.cgi?article=1009&context=fisch_2016 
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light, Andersen was forced to surrender its accounting licenses 
to the Securities and Exchange Commission (SEC). This was 
effectively a death sentence for the firm. 


Aftermath 


In the United States, the Sarbanes-Oxley Act (SOX) of 2002 was 
a key legislative reform that resulted from the Enron debacle, 
along with associated changes in stock exchange and account- 
ing rules. SOX created the Public Company Accounting Over- 
sight Board (PCAOB),2” which has assumed an important role in 
promoting good corporate governance and financial disclosure. 
As indicated in Chapter 3, boards and audit committees increas- 
ingly rely on the chief risk officer (CRO) to integrate corporate 
governance responsibilities with existing risk management 
responsibilities to improve overall risk governance. 


9.9 CYBER RISK 


Cyber risk has become a critically important consideration in 
recent years. Banks’ systems can be hacked, their ATMs can be 
used to steal money and client information, customer identities 
can be stolen and misused, and so on. Financial institutions are 
spending billions of dollars every year on their systems to make 
them safer. These systems must be protected from the outside 
world as well as from internal misuse. Threats to the banking 
system from cyberattacks are also a major concern to inter- 
national regulatory bodies, such as the Bank for International 
Settlements (BIS) and the International Monetary Fund (IMF), as 
well to local regulators. 


37 The PCAOB promulgates auditing standards and has the power to 
investigate. 


The SWIFT Case 


SWIFT is the world’s leading system for transferring funds 
electronically among banks processing billions of dollars in 
transactions every day. In fact, SWIFT is considered so reliable 
that transactions which normally take days (in order to prevent 
fraud) are instead completed in seconds. 


In April 2016, an article published in The New York Times 
revealed that hackers had used the SWIFT network to steal 
USD 81 million from the account of Bangladesh Bank (the 
central bank of Bangladesh) at the New York Fed. The heist 
involved malware that sent unauthorized SWIFT messages 
instructing funds to be moved to an account controlled by the 
hackers. Then, the malware deleted the database record of the 
transfer and disabled transaction confirmation messages that 
would have revealed the theft. 


CONCLUSION 


Factors such as adverse macroeconomic activity, increased 

competition, and evolving technologies can cause major losses 
for financial instructions. This chapter, however, reviewed major 
losses that stemmed from factors beyond normal business risk. 


While each case study describes a unique situation, understand- 
ing the mistakes committed by others should help in designing 
better risk management systems across the enterprise.°° All this 
goes beyond, and is even more important than, simply calculat- 
ing the regulatory or economic capital requirements. 


38 See Crouhy, Galai, and Mark, “ ‘What's in a Name?’ Risk,” Enterprise 
Wide Risk Management Supplement (November 1997), pp. 36-40. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


9.1 
9.2 


9.3 


9.4 


9.5 


9.6 


9.7 


What does it mean to ride the yield curve? 


The S&L crisis of the 80s was mainly due to 

A. S&Ls failing to manage their interest rate risk. 
B. increased competition among S&Ls. 

C. increased competition from commercial banks. 
D. economic recession. 


Explain what the major factors leading to Lehman Brothers 
collapse in September 2008 were. 


Liquidity risk, which brought the demise of Lehman Broth- 

ers and Continental Illinois, was not caused by 

A. expanding the business too fast. 

B. reliance on short-term financing. 

C. changes in regulation that required more liquidity 
reserves. 

D. worsening macroeconomic conditions. 


In the Northern Rock case one of the lessons is that there 
is a tradeoff between funding liquidity and interest rate 
risk: When funding liabilities have shorter duration than 
loan assets, the bank is exposed to interest rate 
risk and funding liquidity risk. 

A. lower, higher 

B. lower, lower 

C. higher, higher 

D. higher, lower 


Rumors about a possible intervention by the Bank of Eng- 
land contributed to the default of Northern Rock. 


A. True 

B. False 

In which of the following cases did the firm default due to 
fraud? 

A. Metallgesellschaft Refining and Marketing 

B. Northern Rock Bank 

C. Victor Niederhoffer 

D. None of the above 


9.8 


99 


9.10 


9.11 


9.12 
9.13 
9.14 


LTCM was purported to have had an experienced team 
and operated strategies that were perceived as having 
minimal risk. So, what were the reasons for the collapse of 
LTCM in September 1998? Explain. 


Which of the financial disasters was not affected by 
increased correlations in the markets? 

A. LTCM 

B. Metallgesellschaft 

C. The subprime crisis 

D. The London Whale 


In the “London Whale” case it is mentioned that ”. . . the 
SCP trades breached the limits on all five risk metrics. In 
fact, from January 1 through April 30, 2012, CIO risk limits 
and advisories were breached more than of 330 times.” 
How can the inaction of the bank's management be 
explained? 

Explain the term “flight to quality” and explain how it 
relates to a financial crisis. 


What is model risk? 

Give some famous examples of rogue trading. 
The Enron failure was due to 

A. liquidity risk. 

B. foreign currency risk. 


C. commodity risk. 
D. governance risk. 
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ANSWERS 


9.1 


9.2 


9.3 


9.4 


9.5 


9.6 


9.7 


9.8 


Maintain positive spreads between interest rates earned 
on longer-term assets (e.g., loans) and interest paid on 
shorter-term liabilities (e.g., deposits). 


A. S&Ls failing to manage their interest rate risk. 


Interest rate risk led to the US savings and loan (S&L) 
crisis in the mid-1980s. 


Concerns about the valuation of the firm’s real estate- 
based assets led to a loss in market confidence. Counter- 
parties began to reduce their exposure significantly and 
the firm could not roll over its debt. Attempts to orga- 
nize an industry rescue failed. 


C. changes in regulation that required more liquidity 
reserves. 


In each case, the liquidity crisis was brought on by 
changing conditions in the wider economy and the credit 
markets. 


A. lower, higher 


Banks must consider the significant tradeoff between a 
short-term funding strategy with low rates but frequent 
rollovers (and thus more liquidity risk) and a long-term 
funding strategy with higher rates (and thus higher costs) 
but less frequent rollovers. 


True 


When Northern Rock became unable to fund itself 
through interbank loans, UK authorities discussed vari- 
ous strategies to relieve the bank's difficulties. News of 
the Bank of England's planned support operation for 
Northern Rock leaked, setting the scene for a run on 
deposits between September 14 and September 17. 


D. None of the above 
The fraud examples included Barings Bank and Enron. 


LTCM failed because its models did not anticipate the 
vicious circle of losses that would arise as volatilities 
increased, correlations between various instruments and 
markets approached 1, and liquidity vanished. LTCM also 
succumbed to a liquidity crunch caused by large margin 


9.10 


9.11 


9.12 


9.13 
9.14 


calls on its futures holdings. Ironically, LTCM's strategies 
actually were valid in the medium term, and as the crisis 
ended, the banks that took over LTCM realized a sub- 
stantial profit. 


B. Metallgesellschaft 


Metallgesellschaft was hurt by change in the shape of the 
price curve. 


Failure in corporate governance and poor risk culture. 
Specifically, the whale trades showed that breaches in 
risk limits were frequently ignored, risk metrics were 
often criticized or downplayed, and risk models were 
misused by employees to set capital requirements that 
were artificially low.3? 


When investors are worried about the economic and 
market environment, they tend to rebalance their 
portfolio by investing heavily in “secure” assets from 
“safe heaven” countries (e.g., the United States). As 

a consequence, the yield on US securities goes down 
during a financial crisis, whereas interest rates in other 
countries go up. 


Trading of financial securities, especially derivative prod- 
ucts, relies heavily on mathematical models. Trading 
losses can be the consequence of model errors due to 
incorrect assumptions about the underlying asset price 
process, errors in the calibration of key input parameters 
such as volatility and correlations, and errors in the deri- 
vation of the hedge ratios. 


Note that when markets become illiquid (e.g., during a 
financial crisis), even the best model might not be able 
to help in hedging the risk of a trading position because 
traders might not be able to execute the hedge in the 
market. 


Barings 
D. governance risk. 


Enron was a poster child of corporate governance failure 
and poor risk management. 


3? Frierson, R. D. (2013, June 7). Re: Docket No. 1457 and RIN 
7100-AD-95 on Large Bank Assessments [Letter to United States Senate 
Committee on Homeland Security and Governmental Affairs]. 
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Anatomy of 
the Great 


Financial Crisis 
of 2007-2009 


E Learning Objectives 


After completing this reading you should be able to: 


® Describe the historical background and provide an over- 
view of the 2007-2009 financial crisis. 


® Describe the build-up to the financial crisis and the factors 
that played an important role. 


® Explain the role of subprime mortgages and collateralized 
debt obligations (CDOs) in the crisis. 


® Compare the roles of different types of institutions in the 
financial crisis including banks, financial intermediaries, 
mortgage brokers and lenders, and rating agencies. 


® Describe trends in the short-term wholesale funding mar- 
kets that contributed to the financial crisis, including their 


impact on systemic risk. 


® Describe responses made by central banks in response to 


the crisis. 
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10.1 INTRODUCTION AND OVERVIEW 


The cascade of events that came be known as the Great Finan- 
cial Crisis of 2007-2009 (GFC) began with a downturn in the 
U.S. subprime mortgage market in the summer of 2007 

(Box 10.1).' The years preceding the crisis saw an exceptional 
boom in credit growth in the United States, a massive housing 
price bubble, and an excess of leverage in the financial system 
that had been building since the previous credit crisis of 
2001-2002.” The boom years had also been accompanied by a 
wave of financial innovations related to securitization, which 
expanded the capacity of the financial system to generate credit 
assets but outpaced its capacity to manage the associated risks. 


Unlike previous U.S. credit crises, the GFC affected investors all 
over the world. Massive losses spread from subprime mortgages 
in the United States to other segments of the credit market. 
Banks began to experience large losses and liquidity problems 
amid growing uncertainty about the valuation of credit assets. 
As a result, banks stopped lending to one another. Governments 
around the world intervened by offering liquidity support facili- 
ties and recapitalizing insolvent banks in an effort to encourage 
bank lending. Many banks failed entirely or were taken over. 


February 2008 saw the nationalization of troubled U.K. mortgage 
lender Northern Rock, a victim of the first bank run that nation had 
experienced in 140 years. The following month, U.S. investment 
bank Bear Stearns was absorbed by J.P. Morgan Chase in a deal 
brokered by the U.S. Treasury Department and the Federal Reserve. 


The crisis also brought the asset-backed commercial paper 
(ABCP) and repo markets to a halt, causing numerous hedge 
funds to freeze redemptions or fail. Many special investment 
vehicles (SIVs) and conduits were also wound down. Credit 
losses worldwide eventually exceeded USD 1 trillion. 


The peak of the subprime crisis came in September 2008, which 
saw a cascade of events. 


e Lehman Brothers declared bankruptcy, leading to an immedi- 
ate acute reduction in the interbank borrowing market. Banks 
with excess cash were unwilling to lend money to banks look- 
ing for liquidity in the overnight repo markets. 


1 Some analysts point to the role that US government policy had in pre- 
cipitating the GFC, see for example Peter J. Wallison’s Dissent from the 
Majority Report of the Financial Crisis Inquiry Commission. 


2 Between 2002 and 2007, debt as a percent of national income rose 
from 375% to 475% while at the same time average housing prices 
increased at 11% per year, a record rate. 


3 SIVs and conduits were part of the what is popularly referred to as the 
shadow banking system, which is defined as a network of financial sys- 
tems made up of non-depository banks. Post-crisis legislation in the U.S. 
has addressed some of the issues associated with shadow banking. 


BOX 10.1 SUBPRIME MORTGAGE 
MARKET PRE-CRISIS 


Subprime mortgages? are residential home loans made to 
borrowers with poor credit. In the United States, consumer 
credit quality is measured with a FICO score.» Factors 

that can drive down a FICO score include a limited credit 
history, a large amount of outstanding debt, or a history of 
delinquent payments. The exact definition of a subprime 
borrower can vary, and some lenders even consider 
borrowers with relatively high credit scores as subprime 

if their mortgages have low down payments. Broadly 
speaking, subprime mortgages have more default risk than 
prime mortgages and therefore pay higher interest rates. 


There is another key category of borrowers termed Alt-A. 
These are borrowers that have reasonably strong credit 
ratings but lack essential documentation needed to verify 
their assets and income. 


Subprime mortgages became very popular in the United 
States in the years preceding the financial crisis. According 
to former Fed chairman Ben Bernanke, “[flrom 1994 to 2006, 
subprime lending increased from an estimated USD 35 bil- 
lion, or 4.5 percent of all one-to-four family mortgage origi- 
nations, to USD 600 billion, or 20 percent of originations. ”S 


By early 2007, total outstanding subprime mortgage debt 
was estimated at USD 1.3 trillion.4 


a M. Crouhy, D. Galai, and R. Mark provide an extended discus- 
sion on subprime mortgages in The Essentials of Risk Manage- 
ment, 24 Ed., McGraw Hill, 2014, Ch. 12. 


Þ FICO is an acronym for Fair Isaac Corporation, the developer of 
the methodology. 


€ FRB: Speech-Bernanke, Fostering Sustainable Homeownership,” 
Federalreserve.gov, March 14, 2008. Chairman Bernanke was 
referencing data from the website https://www.insidemortgagefi- 
nance.com/Inside Mortgage Finance 


d Statement of Scott M. Polakoff, Deputy Director Office of Thrift 
Supervision, before the Committee on Banking, Housing and 
Urban Affairs, U.S. Senate, March 22, 2007. https://www.banking 
.senate.gov/imo/media/doc/polakoff.pdf 


The last two major investment banks in the United States, 
Morgan Stanley and Goldman Sachs, were converted to 
bank holding companies and became regulated by the 
Federal Reserve. This move gave them access to the Fed's 
liquidity facilities. 

Fannie Mae and Freddie Mac were nationalized. 


AIG was brought back from the brink of collapse via a USD 
150 billion capital infusion by the U.S. Treasury and the Fed- 
eral Reserve. 


In Europe, many countries had to step in to provide massive 
support to their banks. Dutch financial conglomerate Fortis was 
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broken up and sold. Iceland's largest commercial bank, and 
subsequently the entire Icelandic banking system, collapsed. 


e Many government budgets in Europe were stretched thin due 
to the massive cost of the bank rescues, a situation that contrib- 
uted to a subsequent European sovereign debt crisis in 2010.4 


e There was a fundamental spillover from the financial crisis to 
the wider global economy. This resulted in a massive loss of 
wealth and high unemployment around the world. 


10.2 HOW IT ALL STARTED® 


Growth in housing demand and concomitant mortgage financ- 
ing was fueled (in part) by the low interest rate environment that 
existed in the early 2000s.° This demand helped drive substan- 
tial increases in housing prices.” Low interest rates also spurred 
investors, including institutional investors, to look for invest- 
ments that offered yield enhancement. They found this yield in 
subprime mortgages, which typically carry premiums of up to 
300-basis points over the rates charged to prime borrowers. 


Subprime loans also became increasingly in demand for securiti- 
zation. Through this process, securitizers: 


e Created pools of below investment-grade assets; 
e Bifurcated the cash flows by model-driven certainty; and 


e Packaged the “safest” cash flows into investment-grade 
securities. 


This encouraged banks to develop or grow an originate-to- 
distribute (OTD) business model (see Chapter 4). 


Subprime mortgages became an increasingly large share of 
the overall mortgage market, rising from 7% of total mortgage 
originations in 2001 to 20% in 2006 (Table 10.1). 


4 Countries such as Greece, Portugal, and Ireland were forced to take 
rescue packages from the International Monetary Fund and the Euro- 
pean Central Bank. 


5 This section borrows from Crouhy, Jarrow, and Turnbull, “The Sub- 
prime Credit Crisis of 2007," Journal of Derivatives, Fall 2008, 81-110. 


é In 2007, in the United States, 50 million, or two-thirds of homeowners, 
had mortgages, with 75.2% being fixed rate mortgages and the remain- 
ing 24.8% with adjustable-rate mortgages (ARMs). These figures come 
from the Mortgage Bankers Association, August 15, 2007. 


7 The Fed funds rate was 1% in June 2003. It started to slowly increase 
in June 2004 and was 5.25% by June 2006. It was reduced to 4.75% on 
September 18, 2007. 


8 As a very simple illustration, consider a pool of bonds that in one year's 
time is scheduled to deliver USD 100, with a “worst-case loss” of USD 
35. Then USD 65 could be said to be a very reliable minimally expected 
cash flow and the claim on this amount would be packaged and sold as 
a high-grade asset; the claims on the other USD 35 would also be pack- 
aged and sold as high-yielding paper. 


Percentage of Total Mortgage Loans, 
which are Subprime, by Year of Origination 


2001 7% 
2002 8 
2003 9 
2004 11 
2005 14 
2006 20 


Sources: B&C Lending Fedral Reserve Bank of St. Louis; EIR. 


Many subprime mortgages were structured with low teaser rates 
for the first few years (which were then followed by much higher 
rates once the teaser period ended). Many of these mortgages 
were interest-only over the teaser period as well, meaning that 
no principal payments were required. 


Some borrowers used subprime lending to purchase a house in 
which they intended to live, whereas others were merely specu- 
lating on rising home prices. For either type of borrower, a loan 
could typically be refinanced into another similar mortgage once 
the teaser rate period ended (as long as housing prices rose). If 
refinancing was not possible, a speculator could simply default 
on the mortgage. 


Under the OTD model, losses on subprime mortgages were 
borne not by the banks that initially made the loans, but by the 
investors that eventually owned them. This reduced the incen- 
tive for the originating banks to conduct the appropriate due 
diligence (e.g., proper credit assessments on the borrowers and 
rigorous collateral valuation on the homes being purchased) 
before extending credit. 


Many subprime mortgages were securitized into collateralized 
debt obligations (CDOs) during this time. These credit risk trans- 
fer instruments played a major role in the subsequent sub-prime 
mortgage meltdown. 


Delinquencies on adjustable-rate subprime mortgages rose 
markedly in 2007 and by August of that year, the rate of serious 
delinquencies was approaching 16% (roughly triple its level in 
mid-2005).? By May 2008, this figure had risen to 25%, '° 


? B, S. Bernanke (2007, October 17), “The Recent Financial Turmoil and 
its Economic and Policy Consequences (Speech),” New York. Retrieved 
July 13, 2008. 


10 B, S, Bernanke (2008, May 19), “Mortgage Delinquencies and Fore- 
closures (Speech).” Columbia Business School’s 32nd Annual Dinner, 
New York City. Retrieved May 19, 2008. 
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leading to a massive number of ratings downgrades"! for sub- 
prime mortgage securitized products. 


There are several reasons for why delinquencies rose signifi- 
cantly after mid-2005. 


e In a subprime mortgage transaction, the inherent credit 
quality of the borrower is typically weak, and the mortgage 
is often under-collateralized. Spotty income and payment 
histories, as well as high debt-to-income ratios, are typical of 
subprime borrowers. 

e Traditionally, first-time home mortgages required a 20% 
down payment. In 2005, 43% of first-time home buyers paid 
zero down payment, !? significantly reducing the collateral 
cushion in case housing prices declined. 


e As mentioned previously, many subprime mortgages included 


teaser rates. For example, a 2/28 adjustable-rate 30-year 
mortgage would typically have a teaser rate for the first two 


years, after which it would reset to a (potentially) much higher 


rate (i.e., a short-term rate or index plus a several hundred- 
point spread) for the remaining 28 years. This was not much 
of a problem as long as a borrower could refinance the mort- 


gage before the reset date. But if the borrower could not refi- 


nance and if interest rates increased, the monthly mortgage 
costs could rise very quickly. As it turned out, interest rates 
did start to increase, with the rate on the three-month Trea- 
sury bill rising from less than 1.0% in April 2004 to over 4.0% 
in November 2005.'3 Other mortgage features, such as 
interest-only teaser periods, made this issue even worse. 


e The ability to refinance mortgages ahead of the reset date 
was a common assumption amongst subprime borrowers. 
However, this ability declined significantly when housing 
prices began to fall sharply in 2006. Furthermore, subprime 
mortgage balances quickly began to exceed the market 
value of the homes that collateralized the loans, increasing 
the incentive for borrowers to default. 


e The heavy demand for subprime mortgage products encour- 
aged questionable practices by some lenders. Some bor- 
rowers were steered into subprime mortgages although 
they qualified for mortgages with more attractive terms. 
Meanwhile, other borrowers ended up with mortgages they 
were not qualified to hold and could not afford. Meanwhile, 
increasingly risky products entered the subprime market, 


11 It should be noted that the market was heavily dependent upon the 
rating agencies to provide an explicit risk analysis of these securities, 
which in turn translated to a high implicit impact on market valuation. 


12 N. Knox, “43% of First-time Home Buyers Put No Money Down,” USA 


Today, 2006, Jan. 17. 


13 Board of governors of the Federal Reserve system, H.15 Selected 
Interest rates. 


including NINJA loans (i.e., no income, no job, and no assets) 
and liar loans (which required such a scant amount of docu- 
mentation that borrowers could safely lie on their applica- 
tions). In an attempt to take advantage of the lax lending 
standards and increasingly weak controls, some borrowers 
and mortgage brokers submitted false documentation that 
enabled some borrowers to receive funding under fraudulent 
terms. This situation was exacerbated by the compensation 
structure for most mortgage brokers, which incentivized 
increasing the volume of loans originated and not necessarily 
the long-term performance of those loans. In fact, there were 
few (if any) consequences to a broker if an originated loan 
eventually defaulted. Originating brokers therefore had very 
little incentive to conduct proper due diligence. 


10.3 THE ROLE OF FINANCIAL 
INTERMEDIARIES 


Banks moved assets to be securitized off their balance sheets to 
structured investment vehicles (SIVs), also called conduits. SIVs are 
a limited-purpose, bankruptcy remote companies used by banks 
to purchase assets. They are typically funded with short-term com- 
mercial paper as well as some medium-term notes and capital. 


Securitization involves taking a portfolio of existing assets and 
repackaging their associated cash flows into claims on tranches. 
Bonds are issued against these tranches and the proceeds are 
used to purchase the collateral assets. 


To appeal to investor demand, the different tranches are typi- 
cally structured to have a desired credit rating (with most 
tranches being rated as investment grade). A waterfall structure 
is introduced to differentiate the credit risk associated with the 
claims on the different tranches. The tranches are established in 
order of safety, beginning with Senior AAA debt (often referred 
to as super senior), Junior AAA, AA, A, BBB, BB, and so on. To 
ensure that the super senior tranche receives a AAA rating, a 
surety wrap was sometimes used.'4 


In theory, the OTD model, coupled with extensive use of secu- 
ritization, would distribute risk more broadly throughout the 
financial system. This in turn would make banks less sensitive 
to credit crises, reduce systemic risk, and give banks additional 
funding sources to support their lending. 


The crisis, however, exposed flaws in this theory. Over the 
period from 2003 to 2007, banks appear to have used securiti- 
zation to keep their credit exposures to AAA rated tranches to 
generate extra yield without increasing their regulatory capital 
minimums under Basel Il. 


14 A surety wrap is supplied by a monoline insurer who is obligated to 
make interest and principal payments in the event of default. 
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For example, a residential mortgage attracts a risk-weighted asset 
(RWA) of 50%. Meanwhile, a AAA rated tranche of securitization is 
only subject to an RWA of 20% (because an asset with such a rating 
is presumed to be at low risk of default). The AAA rating also served 
to greatly reduce incentives for investors to investigate and perform 
proper due diligence on the pool. Accordingly, investors thought 
they could increase their returns without adding risk by purchasing 
CDOs, rather than lower yielding corporate bonds or similar assets. 
As explained in the following section, they were wrong. 


10.4 ISSUES WITH THE RATING 
AGENCIES 


As part of a CDO structuring process, the equity holders (known 
as the CDO trust partners) would pay credit rating agencies to 
rate the various liabilities of the CDO.'5 Because CDO trusts 
were aware of the requirements and assumptions that credit rat- 
ing agencies used to assign these ratings, they were able to 
structure the payment waterfalls and associated liabilities in such 
a way as to obtain a high percentage of AAA rated bonds. 


The assumptions used in this rating process were based on his- 
torical data. However, this data did not reflect the changes in the 
asset characteristics that were taking place at the time, including 
the growing number of NINJA (slang for “no income, no job, and 
no assets”) loans, liar loans (i.e., loans with little to no documen- 
tation), and subprime mortgages with 100% loan-to-value ratios. 


Rating agencies also relied on data received from the issuers 
and arrangers, who were bundling the mortgages and perform- 
ing due diligence. Despite widespread knowledge of declining 
lending standards and increasing fraud, it is alleged that the 
rating agencies themselves did not perform any additional due 
diligence or monitoring of the data. 


It is also important to note that subprime mortgage loans 
were too new in the marketplace to offer long-term data that 
could inform risk analyses. Therefore, many of the initial ratings 
assigned to these securitizations (typically the senior tranches 
that were given AAA ratings) were likely faulty from the outset. 


Despite these analytical flaws, there were strong incentives for 
agencies to provide the required ratings. These agencies are paid 
to monitor the CDO over its life. But if the CDO trust did not 

get formed because too few bonds were AAA rated, the agency 
would miss out on this profitable and continual cash stream. 


15 At one time, credit rating agencies charged investors to use ratings. 
That model changed and now securities issuers pay a fee to have their 
securities rated, which is referred to as the issuer-pay model. Obviously, 
this causes potential conflicts in that credit rating agencies may compete 
for business by having lower credit enhancement requirements (and 
therefore lower funding costs) than the competition so that more CDO 
tranches will have a AAA rating. 


10.5 A PRIMER ON THE SHORT-TERM 
WHOLESALE DEBT MARKET 


There are two main instruments that constitute the short-term 
wholesale debt market: repurchase agreements and commercial 
paper (CP). Both markets shut down early in the crisis as market 
participants started to doubt the quality of the collateral. 


Repurchase agreements (also known as repos) are used by many 
financial institutions, including banks, brokerage firms, and 
money market funds. A standard repo involves 


e The sale of an asset; and 


e An agreement to buy the asset back at a slightly higher price 
at a specified future date. 


The seller of the security receives cash at the outset of the repo 
and can thus be viewed as a borrower in a collateralized loan 
transaction (with the security serving as the collateral). The 
buyer of the security, who gives cash at the outset of the repo 
and then receives a higher sum at the end of the term of the 
repo, can be considered a lender (with the higher sum repre- 
senting principal plus interest). 


Various types of securities can be used as collateral in repo 
transactions, ranging from government bonds and high-quality 
corporate bonds to tranches of securitizations. The quality of 
the collateral greatly influences the size of the haircut (i.e., the 
percent reduction from the initial market value the lender is 
willing to give the borrower), with higher (lower) quality col- 
lateral having smaller (larger) haircuts. For example, a haircut 
of 10% means that a borrower can borrow USD 90 for each 
USD 100 pledged collateral. A haircut is intended to protect 
the lender from recovering less than the full value of the loan 
amount in the event they need to sell the collateral after 

a default. 


Repos are excluded from the bankruptcy process. This means 
that if one counterparty fails, the other may terminate the trans- 
action unilaterally and either keep the cash or sell the collateral. 


In unsecured CP financing, short-term debt is issued but is not 
backed by any specific assets. Because there is no specific col- 
lateral that a lender can seize in the event of default, unsecured 
CP issuers generally have very high credit quality. If a CP issuer's 
credit quality deteriorates, such as through a rating downgrade, 
there is usually an orderly exit through margin calls. 


Asset-backed commercial paper (ABCP) is a special case of CP 
where the issuer finances the purchase of the assets by issuing 
CP, with the assets serving as collateral. 


The demand for collateral increased in the years preceding the 
crisis, driven by the growth of the OTC derivatives markets and 
an increasing reliance on short-term collateralization by financial 
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institutions. This demand was (in part) satisfied by 4 
the issuance of AAA rated securitization tranches. 

According to statistics from the Federal Reserve 

Bank of New York, the total primary dealers’ inven- 3 
tory of repos increased from USD 1.6 trillion in 2000 
to over USD 4.5 trillion in 2008.'6 
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relied on being able to regularly roll over short-term o 


debt to finance their longer dated assets. 


As mortgage-backed securities began to lose value, 
however, the credit quality of many SIVs declined. 
This led to the rapid downgrading of the credit 
ratings of the ABCP issued by these SIVs and an 
increasing skepticism about pledged collateral 
value, which prevented a growing number of SIVs 
from rolling over their ABCP. Simultaneously, liquidity in the 
subprime-related asset markets disappeared. 


Note that until the middle of 2007, counterparty credit risk was 
not priced by the market. There was hardly any difference (i.e., 
only 2- to 5-basis points) between the unsecured overnight 
index swap (OIS) rate and the swap rates for all reset periods 
(i.e., three months, six months, one year).'7 


Starting in June of that year, market participants began to worry 
not only about the value of asset-backed securities but also 
about how much exposure banks and other financial institutions 
had to the subprime market.'® As a result, the OlS-swap spread 
exploded (as shown in Figure 10.1). It remained high during the 
crisis, jumped again when Lehman Brothers failed, and did not 
come back to pre-crisis levels.'? 


16 Adrian et al., 2009, “Federal Reserve Bank of New York Current Issues 
in Economics and Finance,” Volume 15, Number 4, August 2009. 


17 Banks repriced their swap books with only one interest rate term struc- 
ture curve (e.g., the three-month swap rate curve). This all changed in 
mid-2007, when market participants started to price counterparty credit 
risk and credit spreads on all credit assets went up substantially. Banks 
switched to a new methodology called bi-curve, which uses one interest 
rate curve to derive coupons and another for discounting cash flows. 


18 Since the 1970s monoline insurance providers had an important role in 
municipal finance. In the years preceding the financial crisis, much of the 
growth of the monolines came in structured credit products such as asset- 
backed bonds and CDOs. Initially monolines carried enough capital to 
earn a AAA rating which removed the need for them to post collateral. 


19 Since 2007 the pricing of OTC derivatives incorporates the risk of 
default of the counterparty (CVA—counterparty valuation adjustment) 
and Basel Ill imposes a capital charge against counterparty credit risk. 


1/1/2007 
Libor-OlS spread. 


Source: Carpenter and Demiralp, 2011, “Volatility, Money Market Rates, and the 
Transmission of Monetary Policy,” Finance and Economics Discussion Series: 2011-22, 
Federal Reserve Board. 
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At the same time, credit spreads on all credit assets increased 
substantially, lowering the market price of the credit assets. This 
led to a systematic increase in haircuts, from zero pre-crisis to 
more than 45% when Lehman failed in September 2008 (see 
Figure 10.2). 


Gorton? provides an illustration of the dynamics that began 
with a liquidity crisis and ended up in a solvency crisis, especially 
for highly levered institutions that relied heavily on short-term 
wholesale funding (repos). 


For example, consider a bank with USD 100 in assets. In turn, 
these assets are backing USD 40 in long-term debt, USD 50 in 
repo financing, and USD 10 in equity. Suppose repo haircuts 
increase from zero to 20%, dropping repo financing from USD 
50 to USD 40. The bank is now short of funding by USD 10. In 
a normal market, the bank could simply sell USD 10 in assets. 
Its new balance sheet would look like the following: USD 90 
in assets backing USD 40 in long-term debt, USD 40 in repo 
financing, and USD 10 in equity. 


However, if there is a simultaneous sell off in the markets, the 

market value of the assets can fall precipitously. If the value of 
the bank's assets falls below USD 90, then the equity is wiped 
out and the bank becomes insolvent. 


20 G. Gorton, Slapped in the Face by the Invisible Hand: Banking in the 
Panic of 2007, Yale University and the National Bureau of Economic 
Research, 2009. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10 
-1.1.189.1320&rep=rep1&type=pdf 
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By the summer of 2007, the short-term wholesale funding markets 
started to freeze, including both the ABCP market and the repo 
market. Investors stopped rolling maturing ABCP, forcing banks to 
repatriate SIV assets onto their balance sheets. With the significant 
increase in repo haircuts, institutions that relied on repo financing 
were unable to roll their short-term funding. At that point, there 
were only three outcomes: bailout, merger, or bankruptcy. 


This is exactly the scenario that led to the failure of Bear 
Stearns, mortgage banks Northern Rock in the United Kingdom, 
IndyMac in California, and Lehman Brothers. Note that all these 
institutions satisfied Basel minimum regulatory capital require- 
ments before they failed. 


Relying heavily on short-term wholesale funding can be danger- 
ous, as it can disappear overnight. 


10.7 VALUATION UNCERTAINTY 
AND TRANSPARENCY ISSUES 


Previous sections showed how a wave of uncertainty over the 
valuation of asset-backed structured products exacerbated the 
crisis by effectively freezing the short-term debt markets. But 
what made these products so problematic? 


First of all, they are difficult to value even when there isn’t an 
ongoing crisis. Their liability structure and cash flow waterfalls 


tend to be complex and contain different types of collateral and 
interest rate triggers. Also, even if they share a basic securitiza- 
tion framework, each structured product is unique. Therefore, 
the model(s) used to simulate the cash flows for each bond must 
be customized to fit the unique aspects of the structure. 


The assets in the collateral pool must also be valued. In the 
case of ABS trusts, this can require the valuation of thousands 
of subprime mortgages, with a wide variety of borrower char- 
acteristics and loan terms. CDOs may contain securities issued 
by ABS trusts, while CDO-squared structures contain securi- 
ties issued by other CDOs. Some asset pools contain synthetic 
ABS credit default swaps. All of these complex instruments 
must be valued. 


Modeling the cash flows to the trusts can be further compli- 
cated by the fact that they are often dependent on the future 
values and credit ratings of the collateral. All future values and 
credit ratings must therefore be estimated in order to estimate 
the value today. The fact that there is often little data available, 
even to sophisticated investors, on the different asset pools 
presents another challenge when it comes to valuation. 


These products also had transparency issues. Many investors, 
even seemingly sophisticated investors, simply did not have the 
in-house expertise to understand/analyze the complex products 
they were buying. Furthermore, they did not understand the 
potential risks that might arise from the assumptions underlying 
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the valuation and credit rating models. Investors simply did not 
foresee how these assumptions might fail under stressed condi- 
tions. As a result, they chose to be completely reliant on the 
rating agencies for risk measurement. Moreover, many buyers 
of these products were yield buyers who made their investment 
decisions based on projected cash flows. However, this is a poor 
measure of potential return because it assumes the cash flow 
estimates are accurate and that all cash flows can be reinvested 
at an interest rate equal to the computed cash flow yield. 


At the same time, the valuation of illiquid assets was opaque. 
With no readily available benchmark prices, this lack of transpar- 
ency made investors highly skeptical of reported prices when 
assessing the credit risk of a counterparty. 


The lack of transparency extended to types of products within 
the SIVs, because banks may hold assets until they can be secu- 
ritized and sold. Their exact holdings are, therefore, often 


unknown to investors." 


The total volume of outstanding commitments that a financial 
institution had given, including existing backstop lines of credit 
the bank was committed to or loan commitments for private 
equity buyouts, was also hard to determine. Many banks also 
had profitable money market franchises and these relationships 
carried implicit commitments to these funds in the event they 
experienced significant difficulties (e.g., a run on the fund). 


A wave of uncertainty, combined with a lack of transparency, 
triggered the subprime crisis in the summer of 2007. 


e In June 2007, Bear Sterns tried to rescue two hedge funds 
that were threatened by losses from subprime mortgages. 
The prime broker for one of the funds, Merrill Lynch, seized 
USD 850 million in underlying collateral but had great dif- 
ficulty selling any of it. Merrill's troubles showed how illiquid 
the market for some these assets had become. 


e In August 2007, BNP Paribas froze (i.e., barred investors from 
making withdrawals from) three funds with USD 2.2 billion in 
assets because of an inability to value the subprime assets in 
the funds. 


The market became increasingly concerned that many of the 
structured products that had been issued in recent years might 


21 The amount of reported Level 3 asset, however, could offer a rough 
guide. In 2006, the U.S. Financial Accounting Standards Board (FASB) 
required firms to value their assets through a classification system. 

Level 1 assets are those that can be valued according to observable 
market prices. Level 2 assets are those that can be marked to market. 
Level 3 asset values are determined based on models and unobservable 
inputs. Their valuation can be rather subjective. Examples of Level 3 
assets are MBS, private equity shares, complicated derivatives, foreign 
stocks, and distressed debt. 


be mispriced. Worry spread beyond just the products them- 
selves, however, as the significant exposure of large financial 
institutions to the subprime market was also called into question. 


Shortly after these events, the markets for wholesale short-term 
funding effectively shut down. 


10.8 CENTRAL BANKS 
TO THE RESCUE 


In response to the growing crisis, the Federal Reserve and other 
central banks from around the world came up with innovative 
liquidity injection facilities. Between the fall of 2007 and the end 
of 2008, the Fed created backstop facilities for a majority of the 
asset classes that experienced stress during the crisis. Its actions 
included 


e Creating long-term lending facilities against high quality 
collateral, 

e Opening the discount window”? to investment banks and 
securities firms, 

e Providing funds to be lent against high-quality illiquid asset- 
backed securities, 


e Providing funds to finance the purchase of unsecured CP and 
ABCP, 


e Providing liquidity to money market funds, and 


e Purchasing assets from Fannie Mae and Freddie Mac.” 


These actions were liquidity-targeted measures. Consequently, 
the size of central banks’ balance sheets increased considerably. 


The major government interventions in the United States during 
the crisis were the following.” 


e The Term Auction Facility (TAF), a program implemented in 
December 2007 and designed to provide funds to deposi- 
tory institutions by auctioning funds against a wide range of 
collateral 

e The Primary Dealer Credit Facility (PDCF), which the allowed 
the Fed to lend funds, via repos, to primary dealers 


e The Economic Stimulus Act of February 2008 


22 The discount window is a Federal Reserve lending facility that helps 
financial institutions manage short-term liquidity needs. 


23 Fannie Mae and Freddie Mac were two U.S. government sponsored 
enterprises that played a significant role in the mortgage markets at 
that time. 


24 Viral Acharya, Thomas Philippon, Matthew Richardson, and Nouriel 
Roubini, The Financial Crisis of 2007-2009: Causes and Remedies, 2009, 
NYU Salomon Center for the Study of Financial Institutions publication. 
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e A Government takeover of Fannie Mae and Freddie Mac in 
September 2008 


e The Troubled Asset Relief Program (TARP) in October 200825 


10.9 SYSTEMIC RISK IN ACTION 


Systemic risk is the risk that events at one firm, or in one market, 
can extend to other firms or markets. In turn, this can put entire 

markets or economies at risk. Systemic risk played a large role in 
exacerbating the impact of the crisis. 


Note that in the ABCP and repo markets, collateral quality is 
important in reducing the risk of a default by the borrower. 
Lenders in these markets need to have confidence in the nature 
and value of the assets used as collateral. As the ABCP and repo 
markets deteriorated, however, this confidence disappeared. 
Lenders became increasingly concerned about whether the 
collateral contained subprime mortgages and whether any of 
the reported valuations could be relied upon. Due to the lack 

of transparency in these markets, even borrowers without sub- 
prime exposure simply could not roll over their debt. 


It is often difficult to estimate the price of illiquid assets even 
under normal market conditions. For many in the summer of 


25 On October 28, 2008, Bank of America, BNY Mellon, Citigroup, Gold- 
man Sachs, J.P. Morgan Chase, Morgan Stanley, State Street, and Wells 
Fargo received a total of USD 115 billion under the TARP program. 


See United States., Government Accountability Office. (2009). The Trou- 
bled Asset Relief Program March 2009 status of efforts to address trans- 
parency and accountability issues: Report to congressional Committees. 
Washington, D.C.: U.S. Govt. Accountability Office. https://www.gao 
.gov/assets/290/288105.pdf 


2007 (e.g., BNP Paribas), it became impossible. Managers of 
money market funds, typically large purchasers of ABCP and 
active participants in the repo markets, began to flee and to 
seek refuge in Treasury bills. 


The collapse of the ABCP and repo markets had numerous 
repercussions. Many hedge funds, unable to roll over their 
debt, were forced to sell assets. As hedge funds tend to hold a 
wide variety of assets, this impacted many markets. One of the 
first to be hit was the CDO market, which came under signifi- 
cant selling pressure. Many funds though, feeling that prices 
were artificially low or simply unable to practically liquidate 
such holdings, resorted to liquidating other assets. To close 
out existing positions, some funds sold higher credit-rated 
assets and bought lower credit-rated assets that were shorted. 
This pushed the prices of the higher quality assets down and 
the prices of the lower quality assets up. Some quantitative 
hedge funds that traded on pricing patterns were adversely 
impacted by this type of price reversal. Institutional investors 
and hedge funds unwound carry trades at a loss in an effort to 
reduce leverage. 


At the same time, banks began to hoard cash (in part) due to 
the uncertainty around the magnitude of possible drawdowns 
on the backstop credit lines they had extended to SIVs. Add- 
ing to banks’ concerns were outstanding commitments to 
underwrite leveraged buyouts. During the first part of August 
2007, the three-month Libor (London interbank offered rate) 
rose over 30-basis points. The reluctance to lend became 
widespread as credit standards tightened, negatively impact- 
ing hedge funds and other financial institutions, squeezing the 
availability of mortgages (both residential and commercial), and 
restricting business lending. Thus, a financial crisis became an 
economic crisis. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


QUESTIONS 


10.1 


10.2 


10.3 


10.4 


10.5 


10.6 


10.7 


10.8 


Unlike other financial crises, the GFC did not spillover 
from the financial markets to the wider economy. 

A. True 

B. False 


A key driver of the demand for housing in the U.S. was 
the environment of low interest rates. 

A. True 

B. False 


Many subprime mortgages were structured with lower 
teaser rates and higher down payments compared to 
traditional mortgages. 

A. True 

B. False 


Under the originate-to-distribute model, losses on 
subprime mortgages were absorbed by the banks that 
initially made the loans (and not by investors) because 
the loans were guaranteed by the banks. 

A. True 

B. False 


What triggered the subprime crisis in the summer of 
2007 was a wave of uncertainty combined with a lack of 
transparency. 

A. True 

B. False 


Structured investment vehicles (SIVs) were typically 
funded short-term and relied on being able to regularly 
roll over short-term debt to finance their longer dated 
assets. 

A. True 

B. False 


As part of the CDO structuring process, the CDO trust 
partners pays one or more credit rating agencies to rate 
the various liabilities of the CDO. 

A. True 

B. False 


Only government securities can be used as collateral in 
repo transactions. 

A. True 

B. False 


10.9 


10.10 


10.11 


10.12 


10.13 


As credit spreads on all credit assets increased 
substantially during the financial crisis, the market 
price of credit assets declined, leading to a systematic 
decrease in haircuts on repos from pre-crisis levels. 


A. True 
B. False 


Residual risk is the risk that events at one firm, or in one 
market, can extend to other firms or markets. 

A. True 

B. False 


At the peak of the GFC in September 2008, which of the 

following events did not occur 

A. Lehman Brothers declared bankruptcy. 

B. Morgan Stanley and Goldman Sachs were converted 
to bank holding companies. 

C. Fannie Mae and Freddie Mac were officially 
designated government sponsored enterprises. 

D. AIG was brought back from the brink of collapse. 


Subprime loans became increasingly in demand 

for securitization because, through this process, 

securitizers 

A. Created pools of below investment-grade assets 

B. Bifurcated the cash flows by model-driven 
certainty 

C. Packaged the “safest” cash flows into investment- 
grade securities 

D. All of the above 


Which of the following statements is incorrect? 

A. Prior to the GFC, many subprime mortgages were 
securitized into collateralized debt obligations 
(CDOs). 

B. Delinquencies on adjustable-rate subprime 
mortgages rose markedly in 2007. 

C. Prior to the GFC, banks moved assets to be 
securitized off their balance sheets to structured 
investment vehicles. 

D. During the GFC, asset-backed commercial paper 
provided banks with sufficient liquidity, which 
reduced the adverse impact of the financial crisis. 
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10.14 Which of the following statements is incorrect about the 


securitization of mortgages? 

A. Securitization eliminates the credit risk associated 
with mortgage pools. 

B. Securitization involves taking a portfolio of existing 
assets and repackaging their associated cash flows 
into claims on tranches. 

C. To appeal to investor demand, the different tranches 
are typically structured to have a desired credit 
rating. 

D. Tranches are established in order of safety, beginning 
with Senior AAA debt, Junior AAA, AA, A, BBB, BB, 
and so on. 


10.15 Which of the following statements is incorrect? 


A. In unsecured commercial paper financing, short-term 
debt is issued but is not backed by any specific 
assets. 

B. Repos are included in the bankruptcy process. 

C. In a repo, a haircut is intended to protect the lender 
from recovering less than the full value of the loan 
amount in the event it needs to sell the collateral 
after a default. 

D. Asset-backed commercial paper is a special case 
of CP where the issuer finances the purchase of 
the assets by issuing CP, with the assets serving as 
collateral. 


10.16 Which of the following was not a form of intervention by 


the U.S. government during the global financial crisis? 
A. The Term Auction Facility (TAF) 

B. The Primary Dealer Credit Facility (PDCF) 

C. The repeal of the Truth in Lending Act 

D. The Troubled Asset Relief Program (TARP) 


10.17 


10.18 


10.19 


10.20 


10.21 


10.22 


The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


During the summer of 2007, banks such as Northern 
Rock in the U.K. started to run into funding problems 
because of the shutdown of 

A. the asset backed commercial paper (ABCP) market. 
B. the repo markets. 

C. AandB. 


As early as the summer of 2007, the short-term wholesale 
funding markets started to freeze. As a consequence, 
there was a significant increase in 

A. the Libor-OlS spread. 

B. repo haircuts. 

C. AandB. 


The Lehman Brothers collapse 

A. could have been easily predicted from the ratings of 
Lehman’s debt instruments. 

B. could have been predicted from the financial reports 
of the company. 

C. all of the above. 

D. none of the above. 


How did governments throughout the world intervene 
during the GFC? 

What is the originate-to-distribute (OTD) business 
model? 


Describe in a few words the systemic impact of the 
default of a major OTC derivatives dealer such as 
Lehman Brothers. 
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The following questions are intended to help candidates understand the material. They are not actual FRM exam questions. 


ANSWERS 


10.1 


10.2 


10.3 


10.4 


10.5 
10.6 
10.7 


10.8 


10.9 


10.10 


10.11 


10.12 


10.13 


False 


The GFC not only spilled over to the U.S. economy, but 
throughout the world. 


True 


Low interest rates available on mortgages did encourage 
housing demand. 


False 


Although subprime mortgages were structured with 
teaser rates, the down payment was very low. 


False 


Under the OTD model, losses on subprime mortgages 
were not absorbed by the banks that initially made the 
loans, but by the investors that eventually owned them. 


True 
True 
True 


The CDO trust partners do pay to obtain a rating for the 
tranches of a CDO. 


False 


Various types of securities can be used as collateral in 
repo transactions, ranging from government bonds 
and high-quality corporate bonds to tranches of 
securitizations. 


False 

It leads to a systematic increase in repo haircuts. 
False 

This is the definition of systemic risk. 

C. 


Fannie Mae and Freddie Mac were already GSEs. They 
were nationalized. 


D. 


All choices lead to an increase in demand for subprime 
loans. 


D. 


D is incorrect since the asset-backed commercial market 
failed as a source of funding during the GFC. 


10.14 


10.15 


10.16 


10.17 


10.18 


10.19 


10.20 


10.21 


10.22 


A. 


Securitization redistributes the credit risk associated with 
a pool of mortgages; it does not eliminate the credit risk. 


B. 

Repos are in fact excluded in the bankruptcy process. 
C. 

All of the others were forms of intervention. 

C. A and B 


By the summer of 2007, the short-term wholesale fund- 
ing markets started to freeze, including both the ABCP 
market and the repo market. 


C. A and B 


The OlS-swap spread exploded (as shown in Figure 10.1) 
in the summer of 2007. It remained high during the crisis, 
jumped again when Lehman Brothers failed, and never 
came back to pre-crisis levels. At the same time, there 
was systematic increase in haircuts, from zero pre-crisis to 
more than 45% when Lehman failed in September 2008 
(see Figure 10.2). 


D. None of the above 
Note that Lehman satisfied the Basel minimum regula- 
tory capital requirements before it failed. 


Governments around the world intervened by offering 
liquidity support facilities and recapitalizing insolvent 
banks in an effort to encourage bank lending. 


In the originate-to-distribute business model, banks: 
e Extend loans; 

e Securitize the loans; and 

e Sell the securities to investors. 


Lehman’s default triggered a cascade of defaults among 
its counterparties, who could not get back their collat- 
eral. Dealers that had no direct link to Lehman, but were 
counterparties of failed direct counterparties of Lehman, 
also defaulted. 
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GARP Code 
of Conduct 


E Learning Objectives 


After completing this reading you should be able to: 


® Describe the responsibility of each GARP Member with ® Describe the potential consequences of violating the 
respect to professional integrity, ethical conduct, conflicts GARP Code of Conduct. 
of interest, confidentiality of information, and adherence 
to generally accepted practices in risk management. 
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|. INTRODUCTORY STATEMENT 


The GARP Code of Conduct (“Code”) sets forth principles of 
professional conduct for Global Association of Risk Professionals 
(“GARP"), Financial Risk Management (FRM®) and Energy Risk 
Professional (ERP®) certifications and other GARP certification 
and diploma holders and candidates, GARP’s Board of Trustees, 
its Regional Directors, GARP Committee Members and GARP’s 
staff (hereinafter collectively referred to as “GARP Members”) 
in support of the advancement of the financial risk management 
profession. These principles promote the highest levels of ethi- 
cal conduct and disclosure and provide direction and support 
for both the individual practitioner and the risk management 
profession. 


The pursuit of high ethical standards goes beyond following 
the letter of applicable rules and regulations and behaving in 
accordance with the intentions of those laws and regulations, it 
is about pursuing a universal ethical culture. 


All individuals, firms and associations have an ethical character. 
Some of the biggest risks faced by firms today do not involve 
legal or compliance violations but rest on decisions involving 
ethical considerations and the application of appropriate stan- 
dards of conduct to business decision making. 


There is no single prescriptive ethical standard that can be 
globally applied. We can only expect that GARP Members will 
continuously consider ethical issues and adjust their conduct 
accordingly as they engage in their daily activities. 


This document makes references to professional standards and 
generally accepted risk management practices. 


Risk practitioners should understand these as concepts that 
reflect an evolving shared body of professional standards 

and practices. In considering the issues this raises, ethical 
behavior must weigh the circumstances and the culture of the 
applicable global community in which the practitioner resides. 


Il. CODE OF CONDUCT 


The Code is comprised of the following Principles, Professional 
Standards and Rules of Conduct which GARP Members agree to 
uphold and implement. 


1. Principles 


1.1 Professional Integrity and Ethical Conduct. GARP Mem- 
bers shall act with honesty, integrity, and competence to 


1.2 


1.3 


2:2 


2.3 


fulfill the risk professional's responsibilities and to uphold 
the reputation of the risk management profession. GARP 
Members must avoid disguised contrivances in assess- 
ments, measurements and processes that are intended to 
provide business advantage at the expense of honesty and 
truthfulness. 


Conflicts of Interest. GARP Members have a responsi- 
bility to promote the interests of all relevant constituen- 
cies and will not knowingly perform risk management 
services directly or indirectly involving an actual or 
potential conflict of interest unless full disclosure has 
been provided to all affected parties of any actual or 
apparent conflict of interest. Where conflicts are unavoid- 
able GARP Members commit to their full disclosure and 
management. 


Confidentiality. GARP Members will take all reasonable 
precautionary measures to prevent intentional and uninten- 
tional disclosure of confidential information. 


Professional Standards 


Fundamental Responsibilities. 


e GARP Members must endeavor, and encourage 
others, to operate at the highest level of professional 
skill. 


e GARP Members should always continue to perfect their 
expertise. 


e GARP Members have a personal ethical responsibility 
and cannot out-source or delegate that responsibility to 
others. 


Best Practices. 


e GARP Members will promote and adhere to applicable 
“best practice standards,” and will ensure that risk 
management activities performed under his/her direct 
supervision or management satisfies these applicable 
standards. 


e GARP Members recognize that risk management does 
not exist in a vacuum. GARP Members commit to consid- 
ering the wider impact of their assess ments and actions 
on their colleagues and the wider community and envi- 
ronment in which they work. 


Communication and Disclosure. GARP Members issuing 
any communications on behalf of their firm will ensure that 
the communications are clear, appropriate to the circum- 
stances and their intended audience, and satisfy applicable 
standards of conduct. 
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Ill. RULES OF CONDUCT 


1. Professional Integrity and Ethical 
Conduct 


GARP Members: 

1.1 Shall act professionally, ethically and with integrity in all 
dealings with employers, existing or potential clients, the 
public, and other practitioners in the financial services 
industry. 


1.2 Shall exercise reasonable judgment in the provision of risk 
services while maintaining independence of thought and 
direction. GARP Members must not offer, solicit, or accept 
any gift, benefit, compensation, or consideration that could 
be reasonably expected to compromise their own or anoth- 
er's independence and objectivity. 


1.3 Must take reasonable precautions to ensure that the 
Member's services are not used for improper, fraudulent or 
illegal purposes. 


1.4 Shall not knowingly misrepresent details relating to 
analysis, recommendations, actions, or other professional 
activities. 


1.5 Shall not engage in any professional conduct involving 
dishonesty or deception or engage in any act that reflects 
negatively on their integrity, character, trustworthiness, or 
professional ability or on the risk management profession. 


1.6 Shall not engage in any conduct or commit any act that 
compromises the integrity of GARP, the (Financial Risk 
Manager) FRM designation or the integrity or validity of 
the examinations leading to the award of the right to use 
the FRM designation or any other credentials that may be 
offered by GARP. 


1.7 Shall endeavor to be mindful of cultural differences regard- 
ing ethical behavior and customs, and to avoid any actions 
that are, or may have the appearance of being unethical 
according to local customs. If there appears to be a conflict 
or overlap of standards, the GARP member should always 
seek to apply the higher standard. 


2. Conflict of Interest 


GARP Members: 

2.1 Shall act fairly in all situations and must fully disclose any 
actual or potential conflict to all affected parties. 

2.2 Shall make full and fair disclosure of all matters that could 
reasonably be expected to impair their independence and 


objectivity or interfere with their respective duties to their 
employer, clients, and prospective clients. 


3. Confidentiality 
GARP Members: 


3.1 Shall not make use of confidential information for inap- 
propriate purposes and unless having received prior 
consent shall maintain the confidentiality of their work, 
their employer or client. 


3.2 Must not use confidential information to benefit personally. 


4. Fundamental Responsibilities 


GARP Members: 

4.1 Shall comply with all applicable laws, rules, and regu- 
lations (including this Code) governing the GARP 
Members’ professional activities and shall not knowingly 
participate or assist in any violation of such laws, rules, or 
regulations. 


4.2 Shall have ethical responsibilities and cannot out-source or 
delegate those responsibilities to others. 


4.3 Shall understand the needs and complexity of their 
employer or client, and should provide appropriate and 
suitable risk management services and advice. 


4.4 Shall be diligent about not overstating the accuracy or cer- 
tainty of results or conclusions. 


4.5 Shall clearly disclose the relevant limits of their specific 
knowledge and expertise concerning risk assessment, 
industry practices and applicable laws and regulations. 


5. General Accepted Practices 


GARP Members: 

5.1 Shall execute all services with diligence and perform all 
work in a manner that is independent from interested 
parties. GARP Members should collect, analyze and distrib- 
ute risk information with the highest level of professional 
objectivity. 

5.2 Shall be familiar with current generally accepted risk man- 
agement practices and shall clearly indicate any departure 
from their use. 


5.3 Shall ensure that communications include factual data and 
do not contain false information. 


5.4 Shall make a distinction between fact and opinion in the 
presentation of analysis and recommendations. 
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IV. APPLICABILITY AND 
ENFORCEMENT 


Every GARP Member should know and abide by this Code. 
Local laws and regulations may also impose obligations on 
GARP Members. Where local requirements conflict with the 
Code, such requirements will have precedence. 


Violation(s) of this Code by may result in, among other things, 
the temporary suspension or permanent removal of the GARP 
Member from GARP’s Membership roles, and may also include 
temporarily or permanently removing from the violator the right 
to use or refer to having earned the FRM designation or any 
other GARP granted designation, following a formal determina- 
tion that such a violation has occurred. 
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